At least 50,000 American license plate numbers have been made available on the dark web after a company hired by Customs and Border Protection was at the center of a major data breach , according to CNN analysis of the hacked data. What's more, the company was never authorized to keep the information, the agency told CNN.
"CBP does not authorize contractors to hold license plate data on non-CBP systems," an agency spokesperson told CNN.
The admission raises questions about who's responsible when the US government hires contractors to surveil citizens, but then those contractors mishandle the data.
"[CBP] keeps seeking to amass more information in a way that is concerning from a privacy and civil liberties standpoint, but also from a security standpoint, given that they've not demonstrated they can safeguard that information," Neema Singh Guliani, senior legislative counsel at the American Civil Liberties Union, told CNN.
CBP collects license plate information to track which vehicles cross the border.
A CNN analysis of data hacked from CBP subcontractor Perceptics, which is now available on the dark web, shows records of what appear to be at least 50,000 unique American license plate numbers. That figure had not previously been made public.
In specific instances, CBP contractors are authorized to access Americans' license plate images to adjust their systems, like when a state issues a new license plate design and the system needs to calibrate it. But those periods are brief. "This data does have to be deleted," the CBP spokesperson said, though the agency didn't clarify the specifics of the policy that would apply to Perceptics.
In many cases, it's not clear whether the license plate numbers were collected for CBP or for one of Perceptics' other government or law enforcement contracts. Some portion, however, was for CBP, the spokesperson said. Perceptics didn't respond to multiple requests for comment.
In a statement when the breach was announced last week, CBP said it learned on May 31 that a subcontractor "had transferred copies of license plate images and traveler images collected by CBP to the subcontractor's company network. The subcontractor's network was subsequently compromised by a malicious cyber-attack."
Last week, CBP said in a statement that "none of the image data has been identified on the Dark Web or internet," though CNN was able to still find it.
In addition to the license plate data, last week a CBP spokesperson said that photos of some travelers -- fewer than 100,000 -- had also been compromised.
CNN first obtained the information on the license plates records from the online archivist group Distributed Denial of Secrets, which has published some emails and contracts leaked from the Perceptics hack. They plan to publish far more, including a library of emails that will eventually be searchable, DDoS co-founder Emma Best told CNN.
CNN analyzed a list of hacked folder files and isolated entries that appeared to be images, resulting in nearly 300,000 apparent images of license plate numbers, then omitted duplicates and plates that appeared to be missing a state or plate number, or were from a country other than the US.