The Federal Emergency Management Agency shared sensitive data, including personal banking information, of 2.3 million disaster survivors with a housing contractor, putting them at risk of identity theft, in what the agency described as a “major privacy incident.”
The Department of Homeland Security's Office of Inspector General on Friday released its findings that personal information of survivors of hurricanes Harvey, Irma, and Maria, as well the 2017 California wildfires, was mishandled by the FEMA. In response, the disaster relief agency said it had taken "aggressive measures" to correct the error.
"FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system," the agency said in a statement. "To date, FEMA has found no indicators to suggest survivor data has been compromised."
According to the inspector general report, FEMA collected personal information from survivors as part of its Transitional Shelter Assistance program, which houses people in hotels for a short term after disasters. But when it shared that information with an unnamed contractor, the agency violated a federal privacy law, as well as DHS policy, the report said.
The contractor received information from FEMA applications to determine who was eligible for the program, but agency provided more personal data than was necessary, according to the report. Some of that included sensitive personally identifiable information, including an applicant's address, financial institution name, electronic funds transfer number, and bank transit number.
In a cybersecurity review of the contractors' systems, several vulnerabilities were found, and officials are now working to correct those, the report added. Records from a period of 30 days found that the system hadn't been breached, the inspector's office said.
The report urged FEMA to complete its corrective actions as quickly as possible.
"FEMA’s failure to provide only required data elements to has placed approximately 2.3 million disaster survivors at increased risk of identity theft and fraud," the inspector general report said.
In its statement, FEMA said it now requires contractors to follow DHS policies on cybersecurity and information sharing. The agency had also told contractors to undergo additional training.
"FEMA’s goal remains protecting and strengthening the integrity, effectiveness, and security of our disaster programs that help people before, during, and after disasters," the statement said.