In what the Federal Emergency Management Agency (FEMA) has acknowledged is a “major privacy incident,” nearly 2.5 million U.S. disaster survivors had their personal information shared with a third-party contractor responsible for setting up temporary housing. This data breach represents a violation of the Privacy Act of 1974 as well as official policy of the Department of Homeland Security (DHS). This means that U.S. government officials should be taking this FEMA data breach very seriously.
The details of the FEMA data breach
According to a report dated March 15 that was filed by the DHS Office of Inspector General (OIG), the data breach occurred when FEMA shared the information of disaster survivors who used the agency’s Transitional Sheltering Assistance Program. These disaster survivors included the victims of the California wildfires in 2017 as well as hurricanes Harvey, Irma and Maria. In order to get these victims into short-term housing, FEMA needed to collect information about all people signing up for the transitional housing program, and then ensure that they were properly taken care of by third-party contractors who were setting up the housing.
As FEMA press secretary Lizzie Litzow explains, this is where the data breach occurred. Instead of only sharing the very basic amount of information that would be expected of such a large-scale government program (e.g. name, date of birth, FEMA registration number), FEMA ended up “over-sharing” all possible information that it had collected on the disaster survivors – including full home address, bank name, bank account information, and the last four digits of each person’s Social Security Number).
Obviously, the potential for identity and theft would have been very high in this case. Using all the personal data collected on the disaster survivors, an unscrupulous hacker or cyber criminal might have been able to open up new bank accounts, drain away financial resources of very vulnerable disaster survivors, or commit other forms of online fraud. However, as FEMA press secretary Lizzie Litzow notes, a thorough review of the matter by the Office of Inspector General did not find any detrimental uses of this personal data. No information was released or compromised, so FEMA said it would not be individually contacting all of the disaster survivors impacted by the data breach.
FEMA cleans up the data breach
The good news is that FEMA has taken aggressive measures to correct the data breach. Once it discovered the problem in December 2018, it immediately put a data filter on all information being shared with its third-party contractor, thereby making sure that all extraneous information would no longer be shared. FEMA also sent out internal security experts two times to conduct on-site checks in order to correct this error. FEMA also worked directly with the contractor (who has thus far remained unnamed) to scrub all data that had been released as part of the data breach. At the same time, FEMA took further aggressive measures to ramp up privacy training for staff members.
Perhaps the best way to think about this data breach is that it was effectively discovered and then sanitized before it could ever develop into a much greater problem. FEMA continues to assure the public that no information was ever compromised in any detrimental way, and that sensitive personal data was no longer being shared with the contractor.
Privacy scenarios involving disaster survivors
The bigger picture issue, of course, is that cybercriminals are known to prey on victims of natural disasters. Whenever a natural disaster strikes – whether it is a hurricane, a flood, a tornado or wildfire – people are naturally in a very vulnerable state. Their homes may have just been destroyed, they may have lost loved ones in the tragedy, and they may be dealing with extreme financial duress. At the same time, disaster recovery staff simply may not have the necessary resources or bandwidth to keep an eye out for cyber threats. Instead of carefully monitoring potential cyber attack vectors, they may be more concerned with restoring different IT and tech resources.
Not surprisingly, cybercriminals have taken advantage of this opportunity to cause financial mayhem with disaster survivors. Until now, the favorite attack tactic was a variation on a “phishing” scheme, in which the cybercriminals would impersonate insurance companies, aid agencies, or disaster relief organizations in an effort to gain access to the personal information of disaster survivors. Given the popularity of crowdfunding relief efforts around natural disasters, they have also posed as online charities attempting to solicit funds from good-hearted people trying to help out disaster survivors.
So, you can immediately see how the FEMA data breach, by transferring disaster survivor information to a contractor, might have unwittingly aided and abetted such a scheme. Since the FEMA data breach involved 2.5 million disaster survivors (1.8 million of whom had their banking information and home address information shared), it would have been a very rich trove of data for any cybercriminal. In the past, the Federal Trade Commission has warned of such schemes, and FEMA itself has issued alerts about scams related to natural disasters.
How to avoid becoming a victim of a data breach
In the event of a natural disaster, say security experts, it’s best to be vigilant and use common sense. Never let your guard down, even for a moment. That means keeping a watchful eye out for fake URLs, fake Facebook pages, fake fundraising pages, and malicious links. If at all possible, type in the address of a website yourself, instead of just clicking on a link found in an email. While it might not be possible to prevent a U.S. agency from sharing data with a contractor, it is possible to take steps to safeguard your personal data. FEMA, for example, has no reason to ask for your personal banking information – so if an email arrives from an unknown source asking for personal banking information, that should be a red flag.
Given the millions of survivors who have used FEMA services in the past, it is incumbent upon all federal agencies to impose tighter rules and controls to prevent a data breach in the future. For its part, FEMA says it will have tighter controls in place by June 2020, hopefully ensuring that when the next natural disaster strikes, vulnerable disaster survivors will not have to worry about a data breach at the same time.