The Federal Emergency Management Agency exposed the personal identifiable information of 2.3 million survivors of hurricanes Harvey, Irma and Maria and the California wildfires in 2017, by oversharing survivor data with a contractor when it wasn’t necessary.
Worse, the contractor’s networks has unpatched vulnerabilities that would allow an adversary access to that information.
Through the TSA program, The Federal Emergency Management Agency (FEMA) provides transitional sheltering in hotels to disaster survivors displaced by emergencies. It also hires local contractors to administer the program and verify that the applications for those shelter services are approved when victims show up to check into their accommodations.
“FEMA should only provide [the contractor] with limited information needed to verify disaster survivors’ eligibility for the TSA program,” according to a recently published alert from the Office of the Inspector General (OIG) at the Department of Homeland Security.
However, FEMA overshared – releasing to the contractor not just necessary info such as applicant names, birth dates, eligibility dates, number of people in the household and various FEMA-specific authorization/registration numbers, but also more than 20 unnecessary data fields. Out of those 20, FEMA said that six contain personal identifiable information (PII), including applicants’ physical addresses, bank names, electronic funds transfer numbers and bank transit numbers.
Further, the contractor (the name is redacted in the alert) didn’t notify FEMA that it was receiving more information than what was specified in the data transfer agreement it had with the agency.
The incident sparked quick reaction from California Senator (and presidential hopeful) Kamala Harris, who called for testimony into how the incident happened.
FEMA unlawfully disclosed the private information of 2.3 million disaster survivors in California and across the country. I’ll say it again: FEMA Acting Administrator Gaynor must testify before Congress. We need answers about how this happened.
— Kamala Harris (@SenKamalaHarris) March 24, 2019
FEMA is still set up to share these unnecessary fields, though it has implemented stop-gap measures to remedy the issue.
“FEMA headquarters officials told us it may be feasible to change the data-transfer script to remove the unnecessary PII, but such change would need to be coordinated with the Individual Assistance and Mass Care program offices, which may be time consuming,” said the OIG. It added, “FEMA stated it had implemented immediate measures to discontinue sharing the unnecessary data and had begun an on-site assessment of [the contractor’s] network.”
The agency said that it has taken action to destroy the previously shared PII and “sanitize” the contractor’s systems.
“FEMA indicated that the Joint Assessment Team had documented the sanitization and removal of the unnecessarily shared PII and SPII from the contractor’s system,” OIG noted.
The remaining issue has to do with locking down the contractor’s network: According to FEMA, the network assessments found a total of 11 vulnerabilities in the contractor’s network – only four of which have been addressed. There’s no indication of intrusion within the last 30 days, OIG said – however, the contractor only maintains logs for 30 days, so hackers could have previously accessed the information.
The estimated completion date for total remediation of the issue is June 30, 2020.