Photos of travelers who entered and exited the U.S. were stolen in a data breach

Photos of travelers collected by U.S. Customs and Border Protection (CBP) have been compromised in a data breach, the agency revealed on Monday.

The breach, first reported by the Washington Post, was confirmed in a statement by a CBP spokesperson to Mashable.

"CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network," the statement reads.

"The subcontractor’s network was subsequently compromised by a malicious cyber-attack. No CBP systems were compromised."

CBP added that none of the images that were stolen have been identified on the Dark Web or the internet, and that it has removed equipment involved in the breach.

The agency said initial reports indicate that fewer than 100,000 people were involved in the image breach, and the photographs were of travelers in vehicles entering and exiting the U.S. through a few lanes at a land border entry over a 1.5 month period.

"No other identifying information was included with the images. No passport or other travel document photographs were compromised and no images of airline passengers from the air entry/exit process were involved," the statement read.

News of the breach comes after revelations of CBP's planned expansion of its facial recognition technology at airports, where it would look to capture 97 percent of departing commercial air travelers from the U.S. over the next four years.

The move raised the ire of privacy advocates, and the CBP's latest incident has provoked calls for the agency to rethink its collection of travelers' data.

"This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency’s data practices," ACLU Senior Legislative Counsel, Neema Singh Guliani, said in a statement.

"The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place."