US Government Leaks PII of 2m+ Disaster Survivors

Written by

A US government agency responsible for disaster relief has accidentally leaked the personal data of millions of disaster survivors with a third-party contractor, it has revealed.

The Federal Emergency Management Agency (FEMA) sits within the Department of Homeland Security to help US citizens before, during and after disasters.

It announced on Friday that the privacy leak affected the personally identifiable information (PII) of disaster survivors using the Transitional Sheltering Assistance program.

The agency admitted that it “provided more information than was necessary” to the contractor, potentially exposing those details to the risk of loss or theft by malicious third-parties and insiders.

It claimed not to have found any evidence so far of this data being compromised.

“Since discovery of this issue, FEMA has taken aggressive measures to correct this error. FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system,” the statement continued.

“FEMA has also worked with the contractor to remove the unnecessary data from the system and updated its contract to ensure compliance with Department of Homeland Security (DHS) cybersecurity and information-sharing standards. As an added measure, FEMA instructed contracted staff to complete additional DHS privacy training.”

According to reports, 2.3 million disaster survivors were affected, including victims of hurricanes Harvey, Irma and Maria and the 2017 California wildfires.

Personal details shared with the contractor apparently included home addresses and bank account information.

The news is particularly embarrassing for the DHS, given its lead role in coordinating cybersecurity efforts across federal government departments.

The department was slammed by government inspectors back in May 2018, after they found it did not practice what it preached in terms of risk management.

Specifically, 64 systems “lacked valid authority to operate, and components did not remediate security weaknesses” in a timely manner, according to the OIG.

What’s hot on Infosecurity Magazine?