Losing your home in a hurricane or wildfire is bad enough, but to add insult to injury, the US agency that helps survivors get temporary housing set millions of them up for identity theft and fraud by needlessly sharing their personal data with a contractor.

The Department of Homeland Security Office of the Inspector General (DHS OIG), which administers FEMA, said in a management alert dated 15 March that the US Federal Emergency Management Agency (FEMA) spilled highly sensitive personal data belonging to 2.3 million people who needed hotel lodging because of the 2017 wildfires in California and because of that year’s trio of hurricanes: Harvey, Irma and Maria.

In order for the contractor to administer FEMA’s Transitional Sheltering Assistance (TSA) program, there are 13 types of Personal Identifying Information (PII) it needs, and there are these six types of Sensitive PII (SPII) that it doesn’t need but which FEMA gave it anyway: street address, city name, postal code, the name of the applicant’s financial institution, applicants’ electronic funds transfer numbers, and their bank transit numbers.

SPII is defined as a subset of PII which if lost, compromised, or disclosed without authorization could result in what the DHS OIG called “substantial harm, embarrassment, inconvenience, or unfairness to an individual.” SPII, which includes the financial information that FEMA fumbled, requires stricter handling guidelines because if it’s compromised, it can bring serious hurt to people.

On Friday, FEMA called the data disclosure a “major privacy incident” in a press release.

Press secretary Lizzie Litzow said in the release that FEMA has taken “aggressive measures” to close the leak and that the agency is no longer sharing unnecessary data with the contractor.

No sign of data abuse… yet

FEMA has also conducted a “detailed review” of the contractor’s information system, she said. As of Friday, FEMA hadn’t found evidence that the survivors’ data had been compromised… although a lack of evidence doesn’t mean that it didn’t happen, as an anonymous DHS official told the Washington Post.

FEMA has also worked with the contractor to scrub the sensitive data off its system and has updated its contract to ensure compliance with DHS cybersecurity and information-sharing standards, Litzow said. Also, FEMA has told the contractor to complete additional DHS privacy training for its staff.

The DHS official told the Post that of the 2.3 million survivors affected, 1.8 million had both their banking information and addresses revealed, while about 725,000 people had just their addresses shared – a total that’s slightly more than that mentioned in the OIG’s report.

Fix this!

The DHS OIG’s report had two recommendations for FEMA, both of which FEMA agreed to: first, the agency needs to put in controls that keep it from sharing unnecessary SPII with contractors. Second, the report recommended that FEMA assess the extent of the incident and put in a process to ensure that the leaked data is properly destroyed.

FEMA responded by saying that it had already implemented the first recommendation: in December, it installed a data filter to keep unnecessary personal data of survivors from leaving its system. Since implementing the new procedures, it’s also sent internal security experts to conduct on-site checks of its network – twice.

FEMA also began an on-site assessment of the contractor’s network, expected to be completed by 30 June 2020.

How to fend off data devastation

As the report said, those whose details were exposed in this breach are at risk of identity theft and identity fraud if their SPII at any point leaked out of the contractor’s network and into the hands of attackers. Though that doesn’t seem to have happened, it’s as good an excuse as any to keep an eye out for unexpected emails that may try to phish account logins from you and to turn on two-factor authentication (2FA or MFA) whenever it’s available.

Here’s an article about a recent phishing campaign that gives you an idea of what to look out for, and here’s an informative podcast that tells you all about 2FA, if you’d like to learn more: