U.S. Customs and Border Protection (CBP) did not adequately safeguard sensitive data on an unencrypted device used during its facial recognition technology pilot (known as the Vehicle Face System). A subcontractor working on this effort, Perceptics, LLC, transferred copies of CBP’s biometric data, such as traveler images, to its own company network. The subcontractor obtained access to this data without CBP’s authorization or knowledge, and compromised approximately 184,000 traveler images from CBP’s facial recognition pilot. Later in 2019, the Department of Homeland Security experienced a major privacy incident, as the subcontractor’s network was subjected to a malicious cyber attack. While CBP and DHS took immediate action to mitigate the data breach, we attribute this incident to the subcontractor violating numerous DHS security and privacy protocols for safeguarding sensitive data. Consequently, this incident may damage the public’s trust in the Government’s ability to safeguard biometric data, and may result in travelers’ reluctance to permit DHS to capture and use their biometrics at U.S. ports of entry. We made three recommendations to aid CBP in addressing the vulnerabilities that caused the 2019 data breach, and to better mitigate future incidents through greater oversight of third-party partners. CBP concurred with all three recommendations.