Washington - The Federal Emergency Management Agency (FEMA) compromised personal data of 2.3 million survivors of recent natural disasters, such as Hurricanes María in Puerto Rico, by sharing personal and banking information with a contractor.
The fear, according to a memo by the U.S. Department of Homeland Security's Office of Inspector General (OIG), is that FEMA's breach has put those who participated in the Transitional Sheltering Assistance program (TSA) program at risk of identity theft or fraud. This program provides housing assistance for people whose houses were damaged by a natural disaster.
Victims of 2017 California wildfires and of hurricanes Harvey, Irma and María are among those affected by the breach.
About 7,000 Puerto Rican families submitted applications to the TSA both on the island and in the US after hurricane María.
“The privacy incident occurred because FEMA did not take steps to ensure it provided only
required data elements… Without corrective action, the disaster survivors involved in the privacy incident are at increased risk of identity theft and fraud.” reads the memo by the Office of the Inspector General John Kelly.
An official from Homeland Security said that so far they don´t have information regarding people being affected or victims of fraud.
According to the Inspector General, data leaked included information that could lead to identify people even if they are not U.S. citizens, “legal permanent resident, visitor to the U.S., or employee or contractor to the Department. This includes complete name, home address, and birthdate when combined,”
FEMA also provided the contractor with bank account numbers and bank account and routing numbers, information that was not required by the contractor.
The memo recommends FEMA “must take corrective action to safeguard against improperly releasing PII and SPII of disaster survivors in the future,” to destroy the information improperly released.
The memo states the FEMA stopped sending this information on December 7, 2018.
Subsequently, the agency deployed a Joint Assessment Team of cyber security experts
to the contractor's facilities to clean and remove unnecessary information. That process was completed on December 21, 2018.
As part of that process, they performed an assessment on the contractor's computer security system, whose corporate identity was not revealed.
“These assessments found no indication of intrusion within the last 30 days although the assessment identified that the contractor did not maintain logs past 30 days,” according to the OIG memo.
However, the team identified “several security vulnerabilities. As of March 2019, four vulnerabilities had been remediated and the contractor was developing remediation plans for the remaining seven.”
FEMA estimated this would be completed by June 30, 2020
In a written statements, the FEMA Office in Puerto Rico stressed that since this problem was identified, the agency took immediate action to correct this situation.
"FEMA no longer shares unnecessary data with the contractor and performed an in-depth assessment of the contractor's network. FEMA found no evidence to suggest that survivors data has been compromised," the statement said.
The federal agency also informed that the contract with the TSA contractor was updated "to ensure compliance with the Department of Homeland Security cyber security and information exchange standards.
The agency also noted that they instructed their staff to complete training on the security and privacy of the people they serve.
“FEMA’s goal remains protecting and strengthening the integrity, effectiveness, and security of our disaster programs that help people before, during, and after disasters,” said the statement.
Reporter Ricardo Cortés Chico contributed to this story.