United States’ Customs and Border Protection (CBP) gathers a trove of information on people coming in and out of the country. Recently, CPB has started testing facial recognition at airports. Plus, the Trump administration now requires social media information from Visa applicants.

All of this information is extremely sensitive, so a leak is the last thing anyone wants. Unfortunately, CBP confirmed that a data breach exposed the photos of travelers and license plate images according to TechCrunch.

It seems that a subcontractor is responsible for the information leaking. According to TechCrunch, CBP said in a statement:

“CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network.”

A spokesperson told the outlet that the breach has impacted “fewer than 100,000 people” through a “few specific lanes at a single land border” over a month and a half.

In addition, the spokesperson said that passports and other travel document photographs weren’t compromised. The breach didn’t include images of airline passengers, either.

Although the breach seems small, it illuminates a bigger problem. As American Civil Liberties’ Union (ACLU) Senior Legislative Counsel Neema Singh Guliani pointed out in a comment provided to AfroTech:

“This breach comes just as CBP seeks to expand its massive face recognition apparatus and collection of sensitive information from travelers, including license plate information and social media identifiers. This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency’s data practices. The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place.”

Perhaps the most concerning thing about CBP’s breach is that it’s not as if passwords were leaked. You can easily change a password after a site has a security breach, after all. However, it’s a lot harder to change your face.

As conversations around privacy continue to pick up, it’s important to be aware of what information is already being taken — and compromised — by government agencies.