A representative didn’t tell TechCrunch how much data had been taken, or how many American citizens were caught up in the breach. The agency said alerted Congress and said it was “closely monitoring” the subcontractor’s associated work.

CBP said that none of the info had been spotted on either the dark web or the public internet, although the company in question might have had at least one leak. Officials inadvertently mentioned the border crossing tech company Perceptics in their document title, and a Register report in late May indicated that data from the firm was available for free on the dark web. It’s not certain if that info is associated with the CBP’s breach.

The incident underscores a common problem with database security: it’s only as safe as the weakest link in the chain. If a contractor leaves data vulnerable, it doesn’t matter how airtight the government’s own practices are. And that raises concerns about plans for facial recognition at airports. Officials have vowed to limit access to image data, but it could only take a momentary lapse in security to compromise a vast library of sensitive images.