The Federal Emergency Management Agency may have put the personally identifying information of millions of disaster survivors at risk of fraud and identity theft, according to a recent report from the Department of Homeland Security’s Office of Inspector General.
The March 15 report said that during an audit of FEMA’s Transitional Sheltering Assistance program, it found that the agency shared and subsequently exposed the personal data of 2.3 million survivors of a number of natural disasters that included the 2017 California wildfires as well as hurricanes Harvey, Irma, and Maria.
Survivors of these incidents provided their private information to FEMA in order to obtain assistance such as temporary housing. The audit found that FEMA jeopardized private information that the agency collected about applicants when it “unnecessarily” released some of that information to an undisclosed contractor handling its TSA program.
FEMA, the report stated, shared with the contractor “more than 20 unnecessary data fields for survivors participating in the TSA program,” including bank names, account numbers, and home addresses.
FEMA Press Secretary Lizzie Litzow told Gizmodo in a statement by email on Friday that since becoming aware of the issue, the agency has “has taken aggressive measures to correct this error,” including by conducting its own audit of the contractor’s information system. Litzow also said FEMA is no longer sharing what the OIG identified as unnecessary information with the contractor.
“To date, FEMA has found no indicators to suggest survivor data has been compromised,” Litzow said. “FEMA has also worked with the contractor to remove the unnecessary data from the system and updated its contract to ensure compliance with Department of Homeland Security (DHS) cybersecurity and information-sharing standards. As an added measure, FEMA instructed contracted staff to complete additional DHS privacy training.”
A DHS official who spoke with the Washington Post on the condition of anonymity said that it did not have information that any data had been compromised.
He did, however, tell the Post that the banking information of 1.8 million individuals had been exposed in the breach, with roughly three-quarters of a million addresses also exposed.
The agency said Friday its “goal remains protecting and strengthening the integrity, effectiveness, and security of our disaster programs that help people before, during, and after disasters.”