FEMA data breach hits 2.5 million disaster survivors

[Richard Forno <rforno () infowarrior org>]

FEMA data breach hits 2.5 million disaster survivors

By Joel Achenbach ,
William Wan and
Tony Romm
March 22 at 6:42 PM

https://www.washingtonpost.com/national/health-science/fema-data-breach-hits-25-million-disaster-survivors/2019/03/22/3e2c6232-4cec-11e9-93d0-64dbcf38ba41_story.html

The Federal Emergency Management Agency shared personal addresses and banking information of more than 2 million U.S. 
disaster survivors in what the agency acknowledged Friday was a “major privacy incident.” 

The data breach, discovered recently and the subject of a report by the Department of Homeland Security’s Office of 
Inspector General, occurred when the agency shared sensitive, personally identifiable information of disaster survivors 
who used FEMA’S Transitional Sheltering Assistance program, according to officials at Federal Emergency Management 
Agency. Those affected included the victims of California wildfires in 2017 and hurricanes Harvey, Irma and Maria, the 
report said.

In a statement, FEMA Press Secretary Lizzie Litzow said the breach happened because “FEMA provided more information 
than was necessary” while transferring disaster survivor information to a contractor.

“We believe this oversharing has impacted approximately 2.5 million disaster survivors,” said a Department of Homeland 
Security official who asked for anonymity in order to provide background information beyond the official FEMA statement.

He said 1.8 million people had both their banking information and addresses revealed, and about 725,000 people had just 
their addresses shared.

It is unclear if the data breach had led to identify theft or other malicious actions, he said.

“We don’t have any information that it has been compromised in a detrimental fashion,” he said.

The Inspector General report told FEMA it needed to install controls to make sure such data would not continue to be 
shared with contractors and that the agency needed to assess how wide the breach was and to make sure that data in the 
contractor’s system was destroyed.

In the OIG’s report, FEMA said that once it became aware of the problem, the agency installed a data filter on in 
December to prevent unnecessary survivors’ personal data from leaving its system. FEMA also said in the report that it 
had sent internal security experts twice since implementing its new procedures to conduct on-site checks of its network.

Litzow said that FEMA has taken “aggressive measures to correct this error. FEMA is no longer sharing unnecessary data 
with the contractor and has conducted a detailed review of the contractor’s information system.” 

FEMA declined to identify the contractor.

Litzow said FEMA has been working with the contractor to remove the unnecessary data from its system. As an added 
measure, Litzow said, FEMA instructed contracted staff to complete additional DHS privacy training.
_______________________________________________
BreachExchange mailing list sponsored by Risk Based Security
BreachExchange () lists riskbasedsecurity com

If you wish to Edit your membership or Unsubscribe you can do so at the following link:
https://lists.riskbasedsecurity.com/listinfo/breachexchange