The last thing people who've lived through hurricanes, wildfires, and other natural disasters need to deal with is another catastrophe. But the Federal Emergency Management Agency (FEMA) revealed on Friday that it had compromised more than two million people's personal information.
FEMA accidentally revealed the addresses and banking information of some 2.5 million people who used its Transitional Sheltering Assistance program. The Washington Post reported that 1.8 million people had both types of information compromised; another 725,000 only had their addresses shared. (As if that isn't a sensitive piece of information that most people would rather not have revealed without their knowledge.)
FEMA press secretary Lizzie Litzow told the Post that the agency "provided more information than was necessary” to a contractor for the Transitional Sheltering Assistance program. The Department of Homeland Security’s Office of Inspector General said in a March 15 report that this oversharing could put people at risk of identity theft and fraud, but so far, it doesn't think any of the data "has been compromised in a detrimental fashion."
The incident is said to have led to some changes regarding how FEMA handles disaster survivor information. The agency has set up a "data filter," sent its own security experts on-site to check its network's security, and instructed contractors to complete additional privacy training. Litzow also told the Post that FEMA has been working with the unidentified contractor to remove the extraneous information from its systems.
It's become all too common for tech companies to mismanage personal information. (Deliberately, in some cases, as well as accidentally.) But it merely adds insult to injury for a federal agency tasked with helping people who have survived natural disasters to make their situations worse. The consequences don't appear to be too severe this time, but we suspect this is neither the first nor the last time something like this will pop up.