hacker attack and data breach, information leak concept, double exposure futuristic cyber background with broken lock

The Federal Emergency Management Agency failed to properly protect the personal information of 2.3 million survivors of natural disasters.

A partially redacted memo issued by the Office of the Inspector General of the Department of Homeland Security stated that FEMA released the personally identifiable information of 2.3 million survivors of hurricanes Harvey, Irma and Maria as well as the 2017 California wildfires to an unspecified contractor.

“FEMA’s failure…. has placed approximately 2.3 million disaster survivors at increased risk of identity theft and fraud. FEMA must take corrective action to safeguard against improperly releasing PII and SPII of disaster survivors in the future,” the report said.

The information was associated with FEMA’s Transitional Sheltering Assistance program (TSA), which provides temporary housing to people displaced by natural disasters. Under the Privacy Act of 1974 and Department of Homeland Security policies, the collection and use of sensitive personal information is limited to that which is necessary for FEMA officials and contractors to perform their official duties.

FEMA included names, street addresses, and financial account numbers to their contractor. The excess information sharing was discovered during an audit of the TSA program.

“Since discovery of this issue, FEMA has taken aggressive measures to correct this error. FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system. To date, FEMA has found no indicators to suggest survivor data has been compromised,” wrote FEMA Press Secretary Lizzie Litzow in a statement.