The Department of Homeland Security’s Office of the Inspector General has released a report revealing that FEMA (Federal Emergency Management Agency) couldn’t protect the private and confidential information of about 2.3 million hurricane survivors.
In 2017, residents of Harvey, Maria, Irma, and California wildfires and hurricanes were offered Transitional Sheltering Assistance (TSA), which is a disaster management support program to provide aid and shelter to disaster survivors. Reportedly, FEMA could not secure the information of survivors and they are now vulnerable to identity theft and fraud.
According to the DHS Inspector General [PDF], FEMA disclosed the private data of 2.3 million survivors unlawfully to a federal contractor to find a temporary housing solution for the victims.
The exposed data includes critically important personal information including:
- Applicant First Name
Applicant Middle Name
Applicant Last Name
Applicant Date of Birth
Authorization for TSA
Eligibility Start Date
Eligibility End Date
Export Sequence Number
FEMA Registration Number
Number of Occupants in Applicants Household
Last 4 digits of Applicant’s Social Security Number
Furthermore, FEMA collected unnecessary data as well such as bank transit number; electronic funds transfer number, and street address of the applicant. A total of 20 unnecessary fields were included in the registration process, and the information was later shared with an unidentified housing contractor.
- Applicant Street Address
Applicant City Name
Applicant Zip Code
Applicant’s Bank Transit Number
Applicant’s Financial Institution Name
Applicant’s Electronic Funds Transfer Number
As per FEMA, data filtering was initiated last year in December and they did try their best to protect the data but a permanent solution can only be rolled out by June 2020. It was also stated that FEMA is taking “aggressive measures” for countering the issue and fix the error and has stopped sharing data with the contractor along with inspecting the information system of the contractor.
There is so far no indication of the data being compromised, but the contractors are being provided with advanced privacy training.
The revelation from the DHS Office of the Inspector General was published in an advisory titled “Management Alert – FEMA Did Not Safeguard Disaster Survivors’ Sensitive Personally Identifiable Information.”