Governance & Risk Management , Government , Incident & Breach Response

FEMA Exposed 2.3 Million Disaster Victims' Private Data

Fraud and Identity Theft Risk Follows Bank Account and Postal Address Exposure
FEMA Exposed 2.3 Million Disaster Victims' Private Data
A FEMA worker at the Disaster Recovery Center in Casselberry, Florida, on Nov. 11, 2017, following Hurricane Irma. (Photo: Sarah Williams/FEMA)

The U.S. Federal Emergency Management Agency inadvertently shared 2.3 million disaster survivors' personal details with a third-party contractor.

See Also: Forrester Top 35 Global Breaches Report: Balance Defense with Defensibility

Twenty different types of sensitive personal data pertaining to the survivors was accidentally shared by FEMA, leaving those individuals at increased risk of fraud and identity theft, says the Office of Inspector General.

The slip up was detailed in a Department of Homeland Security OIG report released on March 15. FEMA's Joint Assessment Team and Office of the Chief Information Officer are now auditing the network of the contractor to see if the data may have been further exposed. The name of the contractor has not been publicly released; it was redacted from the OIG's report.

Complicating FEMA's efforts to find out what happened is the fact that the contractor only retained network logs for 30 days. And FEMA's cybersecurity experts have already found 11 security vulnerabilities in the contractor's network, of which only four have been remediated, meaning that would-be hackers might have been able to easily access the network.

"According to FEMA, these assessments found no indication of intrusion within the last 30 days although the assessment identified that the contractor did not maintain logs past 30 days," the OIG says.

The sensitive data has been erased from the contractor's system, but the review of the contractor's network is not expected to be conclude until June 30, 2020.

FEMA's data exposure is just the latest in a series of incidents involving U.S. government agencies exposing or losing control of individuals' personal details. In 2015, hackers stole as many as 14 million personal records for current and former federal employees from the Office of Personnel Management, including 6 million biometric fingerprints (see Stolen OPM Fingerprints: What's the Risk?).

Lawmakers have called on government officials to come clean on how the latest data spillage happened. "FEMA Acting Administrator Gaynor must testify before Congress. We need answers about how this happened," Sen. Kamala Harris of California, who's a Democratic presidential candidate for 2020, tweeted on Sunday.

OIG: FEMA Didn't Follow Guidelines

For people who survived hurricanes and wildfires, the data exposure comes as a second hit. Victims of such disasters, including hurricanes Harvey, Irma, Maria and the California wildfires in 2017, provided their data to qualify for short-term emergency shelter in hotels.

FEMA is allowed to share data such as names, birth dates, Social Security numbers - but only the last four digits - and other administrative data. But it also passed along street addresses, bank names and account numbers.

The OIG detailed six types of data that FEMA should not have released to a contractor. (Source: OIG)

"The privacy incident occurred because FEMA did not take steps to ensure it provided only required data elements to [redacted contractor]," the OIG says in its report. "Without corrective action, the disaster survivors involved in the privacy incident are at increased risk of identity theft and fraud."

FEMA must comply with federal law and also internal regulations that outline how it can share data. The agency is bound by the federal Privacy Act of 1974, which restricts the sharing of personal data to that which is "legally authorized and necessary," the OIG says.

The act covers "personally identifiable information" and "sensitive personally identifiable information," which a subset of PII covering financial data or data that could embarrass or otherwise harm someone.

The OIG's assessment.

FEMA is part of DHS, which has a "Handbook for Safeguarding Sensitive PII" that was published in December 2017, the OIG says. There's also a 2015 "Performance Work Statement" that describes the 13 data elements FEMA can send in order to verify survivors' eligibility for temporary shelter.

In this mishap, FEMA confirmed that the contractor received the data but not what types of data FEMA itself had been sending, the OIG says. Also, the contractor did not alert FEMA to the fact that it was sending it data that it should not have been sending.

"Although not required to do so, had [redacted contractor] officials notified FEMA officials that the agency was providing unnecessary PII and SPII for eligible survivors, FEMA may have been able to remedy this situation earlier and avoid additional privacy incidents," the OIG says.

FEMA Agrees to New Controls

Now, FEMA has agreed to follow two recommendations made by the OIG to help prevent this type of mishap from recurring.

The assistant administrator for FEMA's Recovery Directorate will "implement controls to ensure that the agency only sends required data elements of registered disaster survivors, such as [redacted contractor]," the OIG says. Also, the assistant administrator will ensure that the SPII is properly destroyed.

The agency will also continue to assess the contractor's systems to ensure it "maintains a security posture in accordance with federal standards on handling PII/SPII, as well as the FEMA Records Retention Schedule covering this information," the OIG says.


About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.