On its website, the agency says that it routinely uses cameras and video recordings of people and vehicles seen at land border crossings and airports to form a growing agency facial-recognition program created to track the identity of people entering and leaving the country.
US Customs and Border Protection announced Monday photos of travelers and license plates were recently compromised in a data breach.
CBP said "none of the image data has been identified on the dark web or internet", but declined to answer questions about the scope of the attack and stolen data, and refused to name the subcontractor.
"The subcontractor's network was subsequently compromised by a malicious cyber-attack.No CBP systems were compromised", the agency said in a statement on Monday.
The attackers struck by targeting a third-party subcontractor, which had been storing the sensitive files over its own network.
The move raised the ire of privacy advocates, and the CBP's latest incident has provoked calls for the agency to rethink its collection of travelers' data.
The statement highlights that "no CBP systems were compromised", meaning it was only the subcontractor whose security was breached.
It's unclear how many people were affected by the breach, or if any images were from Texas land border crossings or airports.
It said it learned of the data breach on May 31 and that the subcontractor had transferred copies of the images to its company network in violation of government policies and without the agency's authorisation. But a Microsoft Word document of the agency's public statement, sent Monday to Washington Post reporters, included the name "Perceptics" in the title: "CBP Perceptics Public Statement". The agency said alerted Congress and said it was "closely monitoring" the subcontractor's associated work.
Perceptics did not immediately respond to an email seeking comment. The database includes passport headshots, but also images acquired from license plate readers, for all cars crossing a United States border.
It said that images of licence plates had been stolen as travellers.
"This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency's data practices", Singh Guliani added.
"The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place".
Just last week, members of Congress grew skeptical of the FBI's ability to implement "adequate privacy and accuracy guardrails" for U.S. citizens after Government Accountability Office (GAO) representative Gretta Goodwin revealed the bureau's available database contained some "640 million photos" of Americans nationwide.