Millions of hurricane and wildfire survivors are learning that they're at "increased risk of identity theft and fraud" because the Federal Emergency Management Agency shared their banking and other private information.
The Department of Homeland Security inspector general said Friday that FEMA had unlawfully disclosed the private data of 2.3 million survivors with a federal contractor that was helping them find temporary housing.
The 2.3 million people include survivors of Hurricanes Harvey, Irma and Maria and the 2017 California wildfires.
The data includes "20 unnecessary data fields" such as electronic funds transfer number, bank transit number, and address. The data was part of a stream of information the agency feeds to the housing contractor, whose name was redacted from the public version of the inspector general's report.
FEMA said it began filtering the data in December 2018 to prevent the information from being shared, but a more permanent fix may not be finalized until June 2020.
"Since discovery of this issue, FEMA has taken aggressive measures to correct this error. FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor's information system," said Lizzie Litzow, press secretary for FEMA, in a statement.
"To date, FEMA has found no indicators to suggest survivor data has been compromised," Litzow said, although the inspector general's office said the contractor keeps data security logs only for the past 30 days.
The statement also said FEMA was requiring additional privacy training for contractors and "worked with the contractor to remove the unnecessary data from the system."