(CNN) Millions of hurricane and wildfire survivors are learning that they're at "increased risk of identity theft and fraud" because the Federal Emergency Management Agency shared their banking and other private information.

The Department of Homeland Security inspector general said Friday that FEMA had unlawfully disclosed the private data of 2.3 million survivors with a federal contractor that was helping them find temporary housing.

The 2.3 million people include survivors of Hurricanes Harvey, Irma and Maria and the 2017 California wildfires.

The data includes "20 unnecessary data fields" such as electronic funds transfer number, bank transit number, and address. The data was part of a stream of information the agency feeds to the housing contractor, whose name was redacted from the public version of the inspector general's report.

FEMA said it began filtering the data in December 2018 to prevent the information from being shared, but a more permanent fix may not be finalized until June 2020.

Read More