Source: Andrea Booher/FEMA

The Office for the Inspector General for the DHS issued a report today that detailed how FEMA did not appropriately safeguard the personal information of 2.3 million survivors of hurricanes Harvey, Irma, and Maria and the California wildfires in 2017.

During national disasters, the Federal Emergency Management Agency’s (FEMA) offers a program called Transitional Sheltering Assistance (TSA) that provides shelter to disaster survivors.

In an advisory titled "Management Alert – FEMA Did Not Safeguard Disaster Survivors’ Sensitive Personally Identifiable Information", it is disclosed that FEMA did not appropriately safeguard personal information of survivors, including bank account information, and provided it to a contractor managing the program.

"During our ongoing audit of the Federal Emergency Management Agency’s (FEMA) Transitional Sheltering Assistance (TSA) program, we determined that FEMA violated the Privacy Act of 19741 and Department of Homeland Security policy2 by releasing to [redacted] the PII and SPII of 2.3 million survivors of hurricanes Harvey, Irma, and Maria and the California wildfires in 2017.3 FEMA should only provide [redacted] with limited information needed to verify disaster survivors’ eligibility for the TSA program. The privacy incident occurred because FEMA did not take steps to ensure it provided only required data elements to [redacted] Without corrective action, the disaster survivors involved in the privacy incident are at increased risk of identity theft and fraud."

When enrolling in the TSA program, survivors are required to provide FEMA with personal information. Some of this information is then provided to the contractor managing the program in order to provide shelter.

The personal information that FEMA is required to share with the contractor is:

Applicant First Name

Applicant Middle Name

Applicant Last Name

Applicant Date of Birth

Last 4 digits of Applicant’s Social Security Number

Disaster Number

Authorization for TSA

Number of Occupants in Applicants Household

Eligibility Start Date

Eligibility End Date

Global Name

Export Sequence Number

FEMA Registration Number

The report stated that in addition to the above fields, FEMA provided 20 unnecessary data fields, which include the following six data fields that contain highly sensitive information that put the survivors at risk for fraud, spear-phishing, and identity theft.

Applicant Street Address

Applicant City Name

Applicant Zip Code

Applicant’s Financial Institution Name

Applicant’s Electronic Funds Transfer Number

Applicant’s Bank Transit Number

The Office of Inspector General recommends that FEMA put safeguards in place so that only the necessary data fields are shared with contractors. The report also recommends that FEMA determine the scope of this privacy breach and make sure that any data that was mistakenly exposed is destroyed.

FEMA has stated that they started an investigation into this privacy breach and have deployed cyber security personnel to the contractor's facilities to determine if this data was exposed in any way through vulnerabilities in their systems.

"FEMA indicated that the Joint Assessment Team had documented the sanitization and removal of the unnecessarily shared PII and SPII from the contractor’s system and performed an in-depth assessment of the contractor’s network. According to FEMA, these assessments found no indication of intrusion within the last 30 days although the assessment identified that the contractor did not maintain logs past 30 days. The Joint Assessment Team also identified several security vulnerabilities. As of March 2019, four vulnerabilities had been remediated and the contractor was developing remediation plans for the remaining seven. FEMA’s estimated completion date for implementing the recommendations is June 30, 2020. Given the sensitive nature of these findings, we urge FEMA to expedite this timeline. "

H/T: Tony Romm