A contractor for US Customs and Border Protection has been breached, leaking photos and other sensitive data, the agency announced on Monday. Initially described as “traveler photos,” many of the images seem to be pictures of traveler license plates, likely taken from cars at an automotive port of entry.

Customs has not named the contractor involved in the breach, but a Washington Post article noted that the announcement included a Word document with the name Perceptrics, a provider of automated license plate readers used at a number of southern ports of entry.

A breach at Perceptics was first reported by The Register on May 23rd, after the data was leaked to the publication by an individual using the pseudonym “Boris Bullet-Dodger.” That data included a number of time-stamped jpgs, presumed to be license plate photos, along with hundreds of gigabytes of internal email archives. According to The Register, the breach was so thorough that it included mp3 files from one employee’s workstation, including Stevie Wonder’s “Superstition” and the Spice Girls’ “Wannabe.”

Notably, Customs itself dates the beginning of the breach to several days later. According to an official statement, it wasn’t until May 31st that the agency learned that a contractor had copied CBP files to its own network, a violation of data security policies that enabled the breach. According to the statement, the contractor was subsequently breached. It’s unclear whether this was a separate incident from the breach reported by The Register as a number of details differ.

“As of today, none of the image data has been identified on the Dark Web or internet,” a Customs spokesperson said in a statement. “CBP has removed from service all equipment related to the breach and is closely monitoring all CBP work by the subcontractor.”

Still, the incident has raised serious doubts about the data security and surveillance practices by CBP, which has recently undertaken an ambitious facial recognition project at US airports. The American Civil Liberties Union called for an immediate congressional investigation in the wake of the breach, saying, “The best way to avoid breaches of sensitive personal data is not to collect and retain such data in the first place.”