Government is just another word for how we can fuck shit up together.[NakedSecurity] Losing your home in a hurricane or wildfire is bad enough, but to add insult to injury, the US agency that helps survivors get temporary housing set millions of them up for identity theft and fraud by needlessly sharing their personal data with a contractor.
The Department of Homeland Security Office of the Inspector General (DHS OIG), which administers FEMA, said in a management alert dated 15 March that the US Federal Emergency Management Agency (FEMA) spilled highly sensitive personal data belonging to 2.3 million people who needed hotel lodging because of the 2017 wildfires in California and because of that year’s trio of hurricanes: Harvey, Irma and Maria.
In order for the contractor to administer FEMA’s Transitional Sheltering Assistance (TSA) program, there are 13 types of Personal Identifying Information (PII) it needs, and there are these six types of Sensitive PII (SPII) that it doesn’t need but which FEMA gave it anyway: street address, city name, postal code, the name of the applicant’s financial institution, applicants’ electronic funds transfer numbers, and their bank transit numbers.
SPII is defined as a subset of PII which if lost, compromised, or disclosed without authorization could result in what the DHS OIG called "substantial harm, embarrassment, inconvenience, or unfairness to an individual." SPII, which includes the financial information that FEMA fumbled, requires stricter handling guidelines because if it’s compromised, it can bring serious hurt to people.
On Friday, FEMA called the data disclosure a "major privacy incident" in a press release.
Press secretary Lizzie Litzow said in the release that FEMA has taken "aggressive measures" to close the leak and that the agency is no longer sharing unnecessary data with the contractor.
FEMA has also conducted a "detailed review" of the contractor's information system, she said. As of Friday, FEMA hadn't found evidence that the survivors' data had been compromised… although a lack of evidence doesn't mean that it didn't happen, as an anonymous DHS official told the Washington Post.
FEMA has also worked with the contractor to scrub the sensitive data off its system and has updated its contract to ensure compliance with DHS cybersecurity and information-sharing standards, Litzow said. Also, FEMA has told the contractor to complete additional DHS privacy training for its staff.
The DHS official told the Post that of the 2.3 million survivors affected, 1.8 million had both their banking information and addresses revealed, while about 725,000 people had just their addresses shared – a total that's slightly more than that mentioned in the OIG's report.