Uncle Sam's disaster agency FEMA creates disaster of its own: 2.3 million survivors' personal records spilled
Org does to privacy what hurricanes did to your house
Disaster relief org FEMA has admitted, conveniently on a Friday night, to accidentally leaking banking details and other personal information of 2.3 million hurricane and wildfire survivors.
The US government's Federal Emergency Management Agency picked the end-of-the-week bad-news dump time slot to let the public know that one of its contractors had mistakenly been sent more information than it ever needed to know.
"In transferring disaster survivor information to a contractor, FEMA provided more information than was necessary," is how the agency's press secretary Lizzie Litzow put it today.
"Since discovery of this issue, FEMA has taken aggressive measures to correct this error. FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system."
The extra personal info handed over to the contractor is said to have included 20 data fields including things like bank transit and electronic funds routing numbers.
Insult to injury: Malware menace soaks water-logged utility ravaged by Hurricane FlorenceREAD MORE
The 2.3 million people exposed by the privacy screw-up are said to be survivors of the California wildfires, and Hurricanes Harvey, Irma, and Maria, all in 2017. If there is a bright side, so far it looks like the information did not get out into the public space.
"To date, FEMA has found no indicators to suggest survivor data has been compromised," Litzow said.
"FEMA has also worked with the contractor to remove the unnecessary data from the system and updated its contract to ensure compliance with Department of Homeland Security (DHS) cybersecurity and information-sharing standards."
The agency says that it has already begun working with the unnamed contractor to get the leaked information wiped off its systems, and plans to provide its employees with additional training so that the incident doesn't happen again.
"As an added measure, FEMA instructed contracted staff to complete additional DHS [Department of Homeland Security] privacy training," Litzow added. ®
Updated to add
We now understand that from 2008 on-wards, FEMA reimbursed disaster survivors through a contractor, by providing those folks banking details to the external organization so money transfers could be made. Come 2012, the system changed so that the agency didn't have to share people's private financial info, however, the agency accidentally continued to provide the details through a data feed.
Sponsored: Becoming a Pragmatic Security Leader