The Federal Emergency Management Agency (FEMA) has disclosed a data breach that may have exposed the personal private information of nearly 3 million customers to a contractor.

Data at risk include residential addresses, social security numbers and financial information belonging to citizens caught up in major natural disasters to hit the States in recent years, such as hurricanes Irma, Harvey and Maria which battered US cities in 2017.

Victims of the extreme weather fell back on FEMA’s Transitional Sheltering Assistance programme which is in place to help and house those hit by such events.

FEMA response

FEMA press secretary, Lizzie Litzow, said in a statement that FEMA had “provided more information than was necessary” to the contractor in question, and that FEMA had taken “aggressive measures to correct” the error.

Litzow also claimed that FEMA has now stopped sharing unnecessary levels of information with the contractor, and that an assessment of the contractor’s information systems has been carried out as a result.

It is currently not known whether the data breach has had a broader adverse impact for those involved.

The Office of the Inspector General is now working alongside FEMA to Bolser Security for the organisation’s employees and to provide Department of Homeland Security (DHS) privacy training.

FEMA’s IT infrastructures have also been developed through the installation of data filters to ensure no further information is lost. Specialists have also been brought in to conduct on-site security audits, while further controls have been implemented to establish the precise size of the breach.

A long-term solution is the aim of these initiatives, but Litzow has underlined that FEMA is collaborating with the contractor at fault to see that personal consumer information is deleted as soon as possible.

Information for which the contractor had no real use has also been taken from systems concerned, to ensure compliance with Department of Homeland Security standards on data sharing.

FEMA is working to steer efforts towards developing its own cyber-defence integrity and effectiveness so that victims of disasters are given more complete, and secure, support throughout emergency events.

Increasing national pressure

The incident will only contribute to pressures on US politicians to do more to address the discrepancies in attitudes towards cyber-security across the country.

A number of government officials have reiterated their frustrations with data handling behaviours, citing FEMA’s recent shortcomings with victims’ private information.

Chair of the House Homeland Security Committee, Bennie Thompson, said:

“This is unacceptable, and FEMA must demonstrate it will do better in the future. Safeguarding the information of Americans already suffering from a disaster should be of the utmost importance.”