FEMA inadvertently exposed almost 2.3 million disaster victims’ private data with a contractor

• FEMA has inadvertently shared private data of almost 2.3 million disaster victims with one of its contractor.
• FEMA provided the contractor with additional 20 data fields that include applicants SPII such as street addresses, city names, zip codes, financial institution names, electronic funds transfer numbers, and bank transit numbers.

What is the issue - The United States Federal Emergency Management Agency (FEMA) has inadvertently shared private data of almost 2.3 million disaster victims with one of its contractor.

The Office of Inspector General for the Department of Homeland Security published a report titled ‘Management Alert - FEMA did not safeguard disaster survivors’ sensitive personally identifiable information (Redacted)’. The report revealed that FEMA disclosed PII of disaster survivors including address and banking information to its contractors.

Why it matters - FEMA offers Hurricane Harvey, Irma, and Maria survivors with a housing facility through its Transitional Sheltering Assistance (TSA) program.

While enrolling to the TSA program, disaster survivors need to provide their personal information with FEMA, which the emergency management agency shared with the contractor who manages the program.

What happened?

FEMA is required to share some of the personal information of the disaster survivors with the contractor managing the TSA program.

The limited information includes,

• Applicants’ first and last names
• Dates of birth
• Last 4 digits of the social security number
• Authorization for TSA
• Disaster numbers
• No. of occupants in the applicants’ household
• Eligibility time frame
• Global names
• Export Sequence Numbers and FEMA registration numbers

However, apart from the above-mentioned information, FEMA provided the contractor with additional 20 data fields that include applicants SPII such as street addresses, city names, zip codes, financial institution names, electronic funds transfer numbers, and bank transit numbers.

What's next?

• The Office of Inspector General has recommended FEMA to implement measures to ensure that only required data of disaster survivors are shared with contractors.
• The OIG recommended FEMA’s Assistant Administrator for the Recovery Directorate to investigate the extent of the data breach and ensure that the exposed data is destroyed.

“In agreement with OIG’s observations, FEMA determined that numerous elements constituting SPII were not necessary to administer the TSA program. FEMA stated it had implemented immediate measures to discontinue sharing the unnecessary data and had begun an on-site assessment of network,” the report read.