The Federal Emergency Management Agency’s inspector general said officials accidentally released personal information to a contractor. The information included Social Security numbers and banking information of about 2.3 million survivors of hurricanes Harvey, Maria and Irma, as well as the California wildfires in 2017, leaving them exposed to identity theft and fraud.
“In transferring disaster survivor information to a contractor, FEMA provided more information than was necessary,” said Lizzie Litzow, an agency spokeswoman, in a statement Friday. “Since discovery of this issue, FEMA has taken aggressive measures to correct this error.”
Agency officials didn’t deny that the incident is potentially harmful to millions of victims but stressed that it wasn’t a data breach.
The disaster survivors were part of the transitional sheltering assistance program, which provides hotels or other temporary housing for survivors who aren’t able to return home for an extended period following a disaster.
“We overshared information with a contractor, but by all means this was not a data breach, no disaster survivor data or information under the program was compromised,” said a FEMA spokesman Daniel Llargues.
The program requires personal and banking information to ensure claims aren’t fraudulent and payments are made quickly.
“FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system,” Ms. Litzow said. “To date, FEMA has found no indicators to suggest survivor data has been compromised.”
The inspector general’s report was released on March 15 and posted online Thursday. It included recommendations that the agency send only required data to contractors and that data is destroyed in a timely manner. The contractor in question, who wasn’t identified, is working to implement necessary security changes, the agency said.
The FEMA incident is relatively small in comparison to other recent data releases including Facebook Inc.’s inadvertent exposure of hundreds of millions of users’ passwords.
The FEMA disclosure was an accident, according to authorities, and the data apparently wasn’t pilfered by thieves, and the exposure apparently wasn’t malicious.