Fiber optic cables feed into a switch inside a communications room at an office in London, U.K., on Monday, May 21, 2018. The Department of Culture, Media and Sport will work with the Home Office to publish a white paper later this year setting out legislation, according to a statement, which will also seek to force tech giants to reveal how they target abusive and illegal online material posted by users. Photographer: Jason Alden/Bloomberg via Getty Images
Bloomberg/Bloomberg/Bloomberg via Getty Images
Fiber optic cables feed into a switch inside a communications room at an office in London, U.K., on Monday, May 21, 2018. The Department of Culture, Media and Sport will work with the Home Office to publish a white paper later this year setting out legislation, according to a statement, which will also seek to force tech giants to reveal how they target abusive and illegal online material posted by users. Photographer: Jason Alden/Bloomberg via Getty Images
Now playing
02:18
How to protect yourself from hackers
Now playing
03:44
Do the 1990s hold the key to sustainable websites?
Now playing
01:10
Watch SpaceX land its Mars rocket prototype for the first time
Now playing
05:52
The climate crisis is taking these farmers' most valuable resource
U.S. President Donald Trump works on his phone during a roundtable at the State Dining Room of the White House June 18, 2020 in Washington, DC. President Trump held a roundtable discussion with Governors and small business owners on the reopening of American's small business. (Photo by Alex Wong/Getty Images)
Alex Wong/Getty Images
U.S. President Donald Trump works on his phone during a roundtable at the State Dining Room of the White House June 18, 2020 in Washington, DC. President Trump held a roundtable discussion with Governors and small business owners on the reopening of American's small business. (Photo by Alex Wong/Getty Images)
Now playing
02:37
Facebook Oversight Board: Indefinite suspension of Trump's account is 'not appropriate'
Now playing
03:41
How technology at NASA helps guide Biden on climate
Now playing
01:42
A vaccine without needles? It's on the way
SAN FRANCISCO, CA - FEBRUARY 06:  Host Conan O'Brien speaks onstage during the 5th Annual NFL Honors at Bill Graham Civic Auditorium on February 6, 2016 in San Francisco, California.  (Photo by Tim Mosenfelder/Getty Images)
Tim Mosenfelder/Getty Images
SAN FRANCISCO, CA - FEBRUARY 06: Host Conan O'Brien speaks onstage during the 5th Annual NFL Honors at Bill Graham Civic Auditorium on February 6, 2016 in San Francisco, California. (Photo by Tim Mosenfelder/Getty Images)
Now playing
01:48
Conan announces his last show after 30 years in late night
Drew Angerer/Getty Images
Now playing
03:14
Will Trump be allowed back on Facebook? This board will decide
CNN
Now playing
05:16
WTF is a SPAC?
Now playing
01:51
A shortage of tanker truck drivers could cause stations to run out of gas
CEO at Verizon Media K. Guru Gowrappan appears at the 2019 Verizon Media NewFront on April 30, 2019 in New York City.
Noam Galai/Getty Images for Verizon Media
CEO at Verizon Media K. Guru Gowrappan appears at the 2019 Verizon Media NewFront on April 30, 2019 in New York City.
Now playing
02:47
Verizon sells off Yahoo and AOL
Warren Buffett, CEO of Berkshire Hathaway, attends the 2019 annual shareholders meeting in Omaha, Nebraska, May 3, 2019. (Photo by Johannes EISELE / AFP)        (Photo credit should read JOHANNES EISELE/AFP via Getty Images)
Johannes Eisele/AFP/Getty Images
Warren Buffett, CEO of Berkshire Hathaway, attends the 2019 annual shareholders meeting in Omaha, Nebraska, May 3, 2019. (Photo by Johannes EISELE / AFP) (Photo credit should read JOHANNES EISELE/AFP via Getty Images)
Now playing
02:40
Warren Buffett warns on US inflation
Now playing
01:00
Astronauts splash down after record-setting mission
ATLANTA - APRIL 30:  A Boeing 757 with a new Delta Airlines logo sits on the tarmac following the company's emergence from bankruptcy at Hartsfield Jackson International Airport April 30,2007 in Atlanta, Georgia. The 757 sports new branding that will appear on more than 900 planes, at airports and on advertising.  (Photo by Barry Williams/Getty Images) 757
Barry Williams/Getty Images North America/Getty Images
ATLANTA - APRIL 30: A Boeing 757 with a new Delta Airlines logo sits on the tarmac following the company's emergence from bankruptcy at Hartsfield Jackson International Airport April 30,2007 in Atlanta, Georgia. The 757 sports new branding that will appear on more than 900 planes, at airports and on advertising. (Photo by Barry Williams/Getty Images) 757
Now playing
02:28
Why Delta airlines is resuming selling middle seats
Now playing
02:50
Grocery chain says 'hero pay' forcing them to close stores
(CNN) —  

At least 50,000 American license plate numbers have been made available on the dark web after a company hired by Customs and Border Protection was at the center of a major data breach, according to CNN analysis of the hacked data. What’s more, the company was never authorized to keep the information, the agency told CNN.

“CBP does not authorize contractors to hold license plate data on non-CBP systems,” an agency spokesperson told CNN.

The admission raises questions about who’s responsible when the US government hires contractors to surveil citizens, but then those contractors mishandle the data.

“[CBP] keeps seeking to amass more information in a way that is concerning from a privacy and civil liberties standpoint, but also from a security standpoint, given that they’ve not demonstrated they can safeguard that information,” Neema Singh Guliani, senior legislative counsel at the American Civil Liberties Union, told CNN.

CBP collects license plate information to track which vehicles cross the border.

A CNN analysis of data hacked from CBP subcontractor Perceptics, which is now available on the dark web, shows records of what appear to be at least 50,000 unique American license plate numbers. That figure had not previously been made public.

In specific instances, CBP contractors are authorized to access Americans’ license plate images to adjust their systems, like when a state issues a new license plate design and the system needs to calibrate it. But those periods are brief. “This data does have to be deleted,” the CBP spokesperson said, though the agency didn’t clarify the specifics of the policy that would apply to Perceptics.

In many cases, it’s not clear whether the license plate numbers were collected for CBP or for one of Perceptics’ other government or law enforcement contracts. Some portion, however, was for CBP, the spokesperson said. Perceptics didn’t respond to multiple requests for comment.

In a statement when the breach was announced last week, CBP said it learned on May 31 that a subcontractor “had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network. The subcontractor’s network was subsequently compromised by a malicious cyber-attack.”

Last week, CBP said in a statement that “none of the image data has been identified on the Dark Web or internet,” though CNN was able to still find it.

In addition to the license plate data, last week a CBP spokesperson said that photos of some travelers – fewer than 100,000 – had also been compromised.

CNN first obtained the information on the license plates records from the online archivist group Distributed Denial of Secrets, which has published some emails and contracts leaked from the Perceptics hack. They plan to publish far more, including a library of emails that will eventually be searchable, DDoS co-founder Emma Best told CNN.

CNN analyzed a list of hacked folder files and isolated entries that appeared to be images, resulting in nearly 300,000 apparent images of license plate numbers, then omitted duplicates and plates that appeared to be missing a state or plate number, or were from a country other than the US.