FEMA admits data breach affected 2.5M
WASHINGTON — The Federal Emergency Management Agency shared personal addresses and banking information of more than 2 million U.S. disaster survivors in what the agency acknowledged Friday was a “major privacy incident.”
The data breach, discovered recently and the subject of a report by the Department of Homeland Security’s Office of Inspector General, occurred when the agency shared sensitive, personally identifiable information of disaster survivors who used FEMA’S Transitional Sheltering Assistance program, according to officials at the Federal Emergency Management Agency.
In a statement, FEMA press secretary Lizzie Litzow said the breach happened while FEMA was transferring disaster-survivor information to a contractor.
“We believe this oversharing has impacted approximately 2.5 million disaster survivors,” said a Department of Homeland Security official who asked for anonymity.
He said 1.8 million people had both their banking information and addresses revealed, and about 725,000 people had just their addresses shared.
The U.S. government mishandled personal information from victims of some of the country’s worst disasters — including Hurricanes Harvey, Irma and Maria in 2017 — in a major privacy mishap that threatens survivors with “identity theft and fraud,” according to the watchdog report. That report, dated March 15, estimated that 2.3 million people had been affected, slightly less than the estimate from the DHS official Friday.
The security mishap involved a program managed by FEMA that places people affected by disasters in temporary housing. The agency shared “unnecessary” amounts of data, including home addresses and birth dates and, in some cases, more-sensitive information about their bank accounts.
It is unclear if the data breach had led to identify theft or other malicious actions.
Litzow said “FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system.”