The Federal Emergency Management Agency, or FEMA, is in hot water following a government report that found the agency improperly shared the personal data of millions of disaster victims.
The Department of Homeland Security’s Office of Inspector General (OIG) found the FEMA data exposure affected 2.3 million disaster survivors that registered for the agency’s Transitional Sheltering Assistance (TSA) program following several 2017 hurricanes and the California wildfires.
According to the OIG report, “FEMA Did Not Safeguard Disaster Survivors’ Sensitive Personally Identifiable Information,” FEMA released victims’ PII and “sensitive” PII, including financial data, to a third-party contractor that administered the TSA program.
While the contractor, whose name was redacted from the report, was entitled to some information to verify disaster victims’ eligibility in the TSA program, FEMA released 20 “unnecessary data fields” to the contractor.
“The privacy incident occurred because FEMA did not take steps to ensure it provided only required data elements to [the contractor],” the report stated. “Without corrective action, the disaster survivors involved in the privacy incident are at increased risk of identity theft and fraud.”
Of the 20 fields included in the FEMA data exposure, the OIG report found the agency improperly released and failed to safeguard six fields that included applicants’ sensitive PII: street address, city name, ZIP code, bank name, bank transit number and electronic funds transfer number.
The report stated that FEMA confirmed the contractor received the transmitted applicant data, but it doesn’t explain how the data was transmitted or whether it was encrypted at any point. After being alerted to the data exposure, the report said, FEMA deployed a team of cybersecurity personnel to the contractor’s facilities to delete and sanitize the applicant data, as well as conduct a full assessment of the contractor’s network.
FEMA’s security team found no evidence of a recent intrusion in the contractor’s network, but the company only keeps log data for 30 days. As a result, the security team couldn’t rule out an earlier intrusion or breach of the contractor’s network. The team also found 11 security vulnerabilities in the network, four of which have already been mitigated, the report said. The remaining seven vulnerabilities will be fixed by June of 2020, according to FEMA.
The OIG discovered the FEMA data exposure during an audit of the TSA program to ensure compliance with the contract requirements. The report noted the contractor didn’t notify FEMA that it had released more applicant data than was required for the relief program.
Corrective actions for FEMA data exposure
In addition to destroying the unnecessary applicant data, the OIG also recommended that FEMA implement controls to prevent unnecessary data of disaster survivors from being shared with contractors. FEMA told the OIG it had “implemented immediate measures to discontinue sharing the unnecessary data,” but that full corrective actions could take until June of 2020.
“FEMA headquarters officials told us it may be feasible to change the data transfer script to remove the unnecessary PII,” the report stated, “but such change would need to be coordinated with the Individual Assistance and Mass Care program offices, which may be time consuming.”
High-profile examples of accidental data exposures have grown increasingly common in recent years and have included internal incidents like the FEMA data exposure, as well as public exposures through online databases and cloud instances. The trend has led some security experts to call for greater focus on failed security controls, rather than attribution to specific threat actors or malware.
“I have no ability to control the threat actor or threat agency as an information security [professional] or chief security officer,” said Malcolm Harkins, chief security and trust officer at threat detection vendor Cylance. “The only thing I can control is how vulnerable I am. When we have a breach, we should be publicly attributing the control that failed and do the naming shaming thing.”