The Federal Emergency Management Agency unnecessarily exposed the sensitive information of 2.3 million natural disaster survivors, putting them at increased risk of identity theft and fraud, the Department of Homeland Security’s Office of the Inspector General revealed in a memo Friday.
In a press release addressing the OIG’s memo, FEMA called it a “major privacy incident” that affected people who survived the 2017 California wildfires and hurricanes Harvey, Irma and Maria. The survivors were put up in hotels during these emergency situations via FEMA’s Transitional Sheltering Assistance (TSA) program.
Millions of major disaster survivors provided FEMA with sensitive information to apply for assistance from the TSA program. FEMA in turn provided that information to a contractor to verify applicants’ eligibility for the program.
Federal law and Homeland Security policy requires federal agencies to release only personal information that is legally authorized and necessary.
An OIG audit found that FEMA unnecessarily shared TSA applicants’ financial information, including financial institution names and electronic bank account information, as well as street addresses, with the contractor.
In a statement addressing the incident, FEMA said it saw no indication that survivors’ data had been compromised despite it being put at risk. Lizzie Litzow, a spokeswoman for the agency, said in a tweet that “there is nothing to suggest” that any of the data had been compromised.
“This was an oversharing of information with a contracted vendor,” she said.
“Since discovery of this issue, FEMA has taken aggressive measures to correct this error,” FEMA said in a statement. “FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system.”
In its report, the OIG said FEMA had also deployed a team of cybersecurity personnel to the contractor’s facility to remove the information from the contractor’s possession.
FEMA is currently working to discontinue sharing unnecessary and sensitive information with the contractor. The estimated completion date for that task is June 30, 2020, according to the OIG report.
OIG told FEMA to assess the extent of the overshared information and to “properly destroy” any information unnecessarily provided to the contractor.