What just happened? The US Customs and Border Patrol (CBP) has confirmed that a “malicious cyberattack” on one of its subcontractors exposed photos of travelers entering or leaving the country, along with copies of their vehicles’ license plates.

It’s unknown exactly how many images were compromised but, as reported by TechCrunch, CBP said the incident affected fewer than 100,000 people through a “few specific lanes at a single land border” over a period of a month and a half. The agency added that it first learned of the breach on May 31. It never named the subcontractor.

While CBP says none of the stolen data ended up on the dark web or internet, news of the breach comes not long after The Register found files from government contractor Perceptics on the dark web. The company makes vehicle license plate readers used by the government to identify and track citizens. While it’s unclear if the two incidents are linked, a Microsoft Word document containing CBP’s statement included the name Perceptics in the title.

“Government agencies that rely extensively on contractors and third-party organizations are especially at risk from so-called supply-chain breaches. Without more details on what was compromised, it’s hard to tell what the impact might be. Personal details of all kinds can be used for identity theft and other schemes,” said Tim Erlin, VP, product management and strategy at cybersecurity firm Tripwire.

“Given that this breach is likely to contain a host of information from European Union data subjects, there may be challenging and interesting GDPR implications.”

With CBP speeding up the adoption of facial recognition of international travelers, incidents such as this one will doubtlessly raise more questions over the privacy and security implications of these systems.