The Federal Emergency Management Agency unnecessarily shared sensitive personal data of more than two million disaster victims with a contractor, subjecting that information to potential identity theft and fraud, a government memo released on Friday said.

The memo, known as a management alert and written by the Office of Inspector General of the Department of Homeland Security, said the data of survivors of the 2017 California wildfires and Hurricanes Harvey, Irma and Maria were released to an unidentified contractor.

There were no indications that the data had been compromised, the agency said in a statement on Friday night. The agency said it had worked with the contractor to scrub the unnecessary data from its computer networks.

The memo, which was dated March 15 but surfaced on Friday, found that 20 data fields were unnecessarily shared with the contractor, including details about the victims’ financial institutions, electronic funds transfer numbers and bank transit numbers. Investigators estimated 2.3 million people helped by FEMA might have been affected.