From the Highlights: "In May 2019, a U.S. Customs and Border Protection (CBP) subcontractor discovered it had been the victim of a cyber attack. Subsequently, CBP data, including traveler images from CBP's facial recognition pilot, appeared on the dark web. We conducted this review to determine whether CBP ensured adequate protection of biometric data during the 2019 pilot."
Department of Homeland Security, Office of Inspector General, Report No. OIG-20-71
Department of Homeland Security Office of Inspector General: https://www.oig.dhs.gov/