Cyber-Security Alert!: FEMA Leaked Data Of 2.3 Million Disaster Survivors (#GotBitcoin?)
dealing with health impacts, displacement, loss of property, and even grieving the deaths of loved ones. Through all of this, though, one worry that is probably not in their minds is the question of whether their personal data is safe withthe Federal Emergency Management Agency. Unfortunately, what should be a given is apparently another burden to add to an already painfully long list. Cyber-Security Alert!: FEMA Leaked Data Of 2.3 Million Disaster Survivors (#GotBitcoin?)by a natural disaster, survivors have a lot of pressing concerns. They may be
On Friday, FEMA publicly acknowledged a Homeland Security Department Office of the Inspector General report that the emergency response agency wrongly shared personal data from 2.3 million disaster survivors with a temporary-housing-related contractor. In doing so, the agency violated the Privacy Act of 1974 and Department of Homeland Security policy, and exposed survivors to identity theft.
The Federal Emergency Management Agency’s inspector general said officials accidentally released personal information to a contractor. The information included Social Security numbers and banking information of about 2.3 million survivors of hurricanes Harvey, Maria and Irma, as well as the California wildfires in 2017, leaving them exposed to identity theft and fraud.
“In transferring disaster survivor information to a contractor, FEMA provided more information than was necessary,” said Lizzie Litzow, an agency spokeswoman, in a statement Friday. “Since discovery of this issue, FEMA has taken aggressive measures to correct this error.”
Agency officials didn’t deny that the incident is potentially harmful to millions of victims but stressed that it wasn’t a data breach.
The disaster survivors were part of the transitional sheltering assistance program, which provides hotels or other temporary housing for survivors who aren’t able to return home for an extended period following a disaster.
“We overshared information with a contractor, but by all means this was not a data breach, no disaster survivor data or information under the program was compromised,” said a FEMA spokesman Daniel Llargues.
The program requires personal and banking information to ensure claims aren’t fraudulent and payments are made quickly.
“FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system,” Ms. Litzow said. “To date, FEMA has found no indicators to suggest survivor data has been compromised.”
The inspector general’s report was released on March 15 and posted online Thursday. It included recommendations that the agency send only required data to contractors and that data is destroyed in a timely manner. The contractor in question, who wasn’t identified, is working to implement necessary security changes, the agency said.
The FEMA incident is relatively small in comparison to other recent data releases including Facebook Inc.’s inadvertent exposure of hundreds of millions of users’ passwords.
The FEMA disclosure was an accident, according to authorities, and the data apparently wasn’t pilfered by thieves, and the exposure apparently wasn’t malicious.
Just to clarify, it’s not a hack per se. No one had to. The data, collected for the Transitional Sheltering Assistance program, came from survivors of the 2017 California wildfires and hurricanes Harvey, Irma, and Maria. The contractor that received the errant data was helping to secure temporary housing for survivors at hotels—a standard practice so FEMA can minimize the number of people staying in emergency shelters.
The data FEMA should have sent to the contractor to verify survivors’ eligibility for lodging includes full names, dates of birth, eligibility start and end date, a FEMA registration number, and the last four digits of survivors’ Social Security numbers.
That’s plenty of information in itself. But the OIG report also found that FEMA additionally shared 20 unnecessary data fields with the contractor, including six that contain particularly sensitive information, like survivors’ full home addresses, bank name, electronic funds transfer number, and bank transit number.
“In transferring disaster survivor information to a contractor, FEMA provided more information than was necessary,” FEMA press secretary Lizzie Litzow said in a statement on Friday. “Since discovery of this issue, FEMA has taken aggressive measures to correct this error. FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system. To date, FEMA has found no indicators to suggest survivor data has been compromised.”
Over two million survivors of recent natural disasters in the United States. FEMA says that it will not be notifying impacted individuals or offering a mechanism for people to check whether they were affected, because the agency doesn’t consider the incident a data breach. “No information was released or compromised,” FEMA spokesperson Daniel Llargues told WIRED. “We overshared data with a contractor like mentioned in the statement, but NO disasters’ survivor information was compromised.”
How Serious Is This?
FEMA says that the leaked data wasn’t stolen or abused while the contractor possessed it, but there’s also no way to confirm that. The agency has concurred with all of the OIG’s many recommendations on how to better control sensitive data, and has committed to implement them by June 30, 2020.
“Given the sensitive nature of these findings, we urge FEMA to expedite this timeline,” said the OIG in its report. “Without corrective action, the disaster survivors involved in the privacy incident are at increased risk of identity theft and fraud.”
Unnecessary and unauthorized data sharing is dangerously common in both the corporate and government arenas, and FEMA’s gaffe is particularly maddening given the already vulnerable situation of the impacted individuals.
“The fact that the data was shared with no safeguards is alarming, and FEMA needs to immediately figure out how to prevent breaches of personal data in the future,” says David Kennedy, CEO of the penetration testing and incident response consultancy TrustedSec. “The report findings show that FEMA did no advanced analysis of what information should be provided to the subcontractor and shared practically everything.”
Trump Delivers Critical News About Cyber Security
Trump says he knows more about cyber attacks, Russian hacking and Internet security than anyone in the FBI and CIA because he has a secret trusted advisor and “insider” … his 10-year-old son, Barron.
Your Questions And Comments Are Greatly Appreciated.
Monty H. & Carolyn A.Go back