FEMA shared personal information of 2.3M disaster victims with contractor

The agency gave an outside firm unnecessary information, according to an inspector general report.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce | Amazon | Earned wage access | Online marketplaces | Direct to consumer | Unions | Labor and employment | Supply chain | Cybersecurity | Privacy | Stalkerware | Hacking Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
2 min read
Digital key macro on encrypted data
Getty Images

The Federal Emergency Management Agency shared bank information, addresses and other personal information on more than 2 million victims of disasters with a contractor, a practice the agency acknowledged on Friday gave the outside company "more information than was necessary."

The incident, which was the subject of a report by the Department of Homeland Security's Office of Inspector General, occurred as the agency worked with an outside contractor that was finding temporary housing for victims of the 2017 California wild fires and Hurricanes Harvey, Irma and Maria. FEMA shared more "data elements" than were necessary for the contractor to do its job, the report said.

The contractor's name was redacted in the report.

"Without corrective action, the disaster survivors involved in the privacy incident are at increased risk of identity theft and fraud," the DHS Inspector General's report said.

FEMA, which is part of Homeland Security, acknowledged that "sensitive, personally identifiable information" had been shared. The agency added that it had taken "aggressive" measures to address the error.

"FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor's information system," Lizzie Litzow, FEMA's press secretary, said in a statement. The agency hasn't found evidence that the data was compromised and worked with the contractor to remove the unnecessary information.

The incident is a reminder that your personal information can flow from one organization's servers into another party's hands, and there isn't much you can do about it. The risk of identity theft increases as malicious actors rack up more points of data about you.