The Federal Emergency Management Agency shared bank information, addresses and other personal information on more than 2 million victims of disasters with a contractor, a practice the agency acknowledged on Friday gave the outside company "more information than was necessary."
The incident, which was the subject of a report by the Department of Homeland Security's Office of Inspector General, occurred as the agency worked with an outside contractor that was finding temporary housing for victims of the 2017 California wild fires and Hurricanes Harvey, Irma and Maria. FEMA shared more "data elements" than were necessary for the contractor to do its job, the report said.
The contractor's name was redacted in the report.
"Without corrective action, the disaster survivors involved in the privacy incident are at increased risk of identity theft and fraud," the DHS Inspector General's report said.
FEMA, which is part of Homeland Security, acknowledged that "sensitive, personally identifiable information" had been shared. The agency added that it had taken "aggressive" measures to address the error.
"FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor's information system," Lizzie Litzow, FEMA's press secretary, said in a statement. The agency hasn't found evidence that the data was compromised and worked with the contractor to remove the unnecessary information.
The incident is a reminder that your personal information can flow from one organization's servers into another party's hands, and there isn't much you can do about it. The risk of identity theft increases as malicious actors rack up more points of data about you.