The Federal Emergency Management Agency revealed it mistakenly leaked the banking information of 2.5 million U.S. disaster survivors.
The Department of Homeland Security Office Inspector General discovered the leak in which FEMA shared sensitive, personally identifiable information of disaster survivors who previously used the company’s Sheltering Assistance program, officials stated.
“FEMA, in coordination with the Department of Homeland Security Office of the Inspector General, identified an incident involving the sharing of sensitive, personally identifiable information of disaster survivors using the Transitional Sheltering Assistance program,” FEMA said in a statement. “In transferring disaster survivor information to a contractor, FEMA provided more information than was necessary.”
Information was shared from victims of Hurricanes Harvey, Irma and Maria, and victims of the California wildfires in 2017, according to the report.
While transferring data to a contractor, FEMA shared more information than was necessary, according to FEMA Press Secretary Lizzie Litzow.
“Since discovery of this issue, FEMA has taken aggressive measures to correct this error,” FEMA said in a statement on the incident. “FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system.”
“To date, FEMA has found no indicators to suggest survivor data has been compromised,” FEMA continued. “FEMA has also worked with the contractor to remove the unnecessary data from the system and updated its contract to ensure compliance with Department of Homeland Security cybersecurity and information-sharing standards. As an added measure, FEMA instructed contracted staff to complete additional DHS privacy training.”
FEMA declined to identify the contractor.
About 1.8 million consumers had their banking information and addresses revealed, while another 725,000 had their addresses shared, according to an article by Joel Achenbach, William Wan and Tony Tomm for The Washington Post.
From the article:
It is unclear if the oversharing had led to identity theft or other malicious actions, he said.
“We don’t have any information that it has been compromised in a detrimental fashion,” the DHS official said.
The Inspector General report said the privacy mishap threatened survivors with “identity theft and fraud.” That report, dated March 15, estimated that 2.3 million people had been affected, slightly less than the estimate provided by the DHS official on Friday.