After being displaced by a natural disaster, survivors have a lot of pressing concerns. They may be dealing with health impacts, displacement, loss of property, and even grieving the deaths of loved ones. Through all of this, though, one worry that is probably not in their minds is the question of whether their personal data is safe with the Federal Emergency Management Agency. Unfortunately, what should be a given is apparently another burden to add to an already painfully long list.
On Friday, FEMA publicly acknowledged a Homeland Security Department Office of the Inspector General report that the emergency response agency wrongly shared personal data from 2.3 million disaster survivors with a temporary-housing-related contractor. In doing so, the agency violated the Privacy Act of 1974 and Department of Homeland Security policy, and exposed survivors to identity theft.
Just to clarify, it's not a hack per se. No one had to. The data, collected for the Transitional Sheltering Assistance program, came from survivors of the 2017 California wildfires and hurricanes Harvey, Irma, and Maria. The contractor that received the errant data was helping to secure temporary housing for survivors at hotels—a standard practice so FEMA can minimize the number of people staying in emergency shelters.
The data FEMA should have sent to the contractor to verify survivors’ eligibility for lodging includes full names, dates of birth, eligibility start and end date, a FEMA registration number, and the last four digits of survivors’ Social Security numbers.
That’s plenty of information in itself. But the OIG report also found that FEMA additionally shared 20 unnecessary data fields with the contractor, including six that contain particularly sensitive information, like survivors’ full home addresses, bank name, electronic funds transfer number, and bank transit number.
“In transferring disaster survivor information to a contractor, FEMA provided more information than was necessary,” FEMA press secretary Lizzie Litzow said in a statement on Friday. “Since discovery of this issue, FEMA has taken aggressive measures to correct this error. FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system. To date, FEMA has found no indicators to suggest survivor data has been compromised."
Over two million survivors of recent natural disasters in the United States. FEMA says that it will not be notifying impacted individuals or offering a mechanism for people to check whether they were affected, because the agency doesn't consider the incident a data breach. "No information was released or compromised," FEMA spokesperson Daniel Llargues told WIRED. "We overshared data with a contractor like mentioned in the statement, but NO disasters’ survivor information was compromised."
How Serious Is This?
FEMA says that the leaked data wasn’t stolen or abused while the contractor possessed it, but there's also no way to confirm that. The agency has concurred with all of the OIG’s many recommendations on how to better control sensitive data, and has committed to implement them by June 30, 2020.
“Given the sensitive nature of these findings, we urge FEMA to expedite this timeline," said the OIG in its report. "Without corrective action, the disaster survivors involved in the privacy incident are at increased risk of identity theft and fraud.”
Unnecessary and unauthorized data sharing is dangerously common in both the corporate and government arenas, and FEMA’s gaffe is particularly maddening given the already vulnerable situation of the impacted individuals.
“The fact that the data was shared with no safeguards is alarming, and FEMA needs to immediately figure out how to prevent breaches of personal data in the future,” says David Kennedy, CEO of the penetration testing and incident response consultancy TrustedSec. “The report findings show that FEMA did no advanced analysis of what information should be provided to the subcontractor and shared practically everything.”
Updated March 22, 2019, 9:08 pm ET to include comment from FEMA that the agency does not plan to notify victims of the data exposure.