Border agency did 'not adequately safeguard' facial recognition data, watchdog finds

The data breach, which CBP announced in 2019, compromised approximately 184,000 traveler images from CBP's facial recognition pilot, according to the Department of Homeland Security Inspector General, and at least 19 of the images were posted to the dark web.

"This incident may damage the public's trust in the Government's ability to safeguard biometric data and may result in travelers' reluctance to permit DHS to capture and use their biometrics at U.S. ports of entry," the inspector general wrote.

CNN reported on the data breach involving a subcontractor, Perceptics, LLC, in June 2019.

A CNN analysis last year also found that at least 50,000 American license plate numbers were made available on the dark web after Perceptics, which was hired by CBP, was at the center of a major data breach. The company was never authorized to keep the information, the agency told CNN at the time.

According to the inspector general, during the pilot program, Perceptics transferred copies of CBP's biometric data, such as traveler images, to its own company network between August 2018 and January 2019.

The company's network was later "subjected to a malicious cyber attack." Perceptics staff violated security and privacy protocols when they downloaded the sensitive information onto their own network, according to the report. This occurred without CBP's knowledge.

However, the watchdog concluded that CBP's information security practices during the pilot were "inadequate to prevent the subcontractor's actions."

This is a breaking story and will be updated.