But the agency, which learned of the breach on 31 May, said none of the image data had been identified “on the dark web or internet”.
US law enforcement agencies argue that facial recognition systems enhance border security and help to catch criminals.
But there are growing concerns they may infringe privacy and increase the risk of identity theft.
Senator Ron Wyden told the Washington Post: “If the government collects sensitive information about Americans, it is responsible for protecting it – and that’s just as true if it contracts with a private company.
“Anyone whose information was compromised should be notified by customs, and the government needs to explain exactly how it intends to prevent this kind of breach from happening in the future.”
Neema Singh Guliani, senior legislative counsel at the American Civil Liberties Union, said: “This breach comes just as CBP seeks to expand its massive face recognition apparatus and collection of sensitive information from travellers, including licence plate information and social media identifiers.
“This incident further underscores the need to put the brakes on these efforts and for Congress to investigate the agency’s data practices.”