Disaster relief org FEMA has admitted, conveniently on a Friday night, to accidentally leaking banking details and other personal information of 2.3 million hurricane and wildfire survivors.
The US government’s Federal Emergency Management Agency picked the end-of-the-week bad-news dump time slot to let the public know that one of its contractors had mistakenly been sent more information than it ever needed to know.
“In transferring disaster survivor information to a contractor, FEMA provided more information than was necessary,” is how the agency’s press secretary Lizzie Litzow put it today.
“Since the discovery of this issue, FEMA has taken aggressive measures to correct this error. FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system.”
The extra personal info handed over to the contractor is said to have included 20 data fields including things like bank transit and electronic funds routing numbers.
The 2.3 million people exposed by the privacy screw-up are said to be survivors of the California wildfires, and Hurricanes Harvey, Irma, and Maria, all in 2017. If there is a bright side, so far it looks like the information did not get out into the public space.
“To date, FEMA has found no indicators to suggest survivor data has been compromised,” Litzow said.
“FEMA has also worked with the contractor to remove the unnecessary data from the system and updated its contract to ensure compliance with Department of Homeland Security (DHS) cybersecurity and information-sharing standards.”
The agency says that it has already begun working with the unnamed contractor to get the leaked information wiped off its systems, and plans to provide its employees with additional training so that the incident doesn’t happen again.
“As an added measure, FEMA instructed contracted staff to complete additional DHS [Department of Homeland Security] privacy training,” Litzow added. ®