In the Washington Post article titled “FEMA ‘major privacy incident’ reveals data from 2.5 million disaster survivors,” reporters Joel Achenbach, William Wan, and Tony Room reveal a shocking security failure by the Federal Emergency Management Agency (FEMA). The failure included the unnecessary and unauthorized sharing of personal information, including banking details and home addresses, of disaster victims from the 2017 California wildfires and Hurricanes Harvey, Irma and Maria.
This was not a hack of FEMA data or an invasive security breach by a malicious actor. This is more along the lines of friendly fire, inadvertent disclosure, and inadequate security procedures by both FEMA and the unnamed third-party contractor that received unneeded, unnecessary personal information for more than 2.5 million people. Though the exact timeline has not been revealed, it is clear this ‘incident’ occurred over a significant period of time, and the third party is still in possession of much of the data. The serious question that arises is: Why no one acted on this until now?
FEMA has admitted the wholesale disclosure of unnecessary private information was a “major privacy incident.” So much so that the Inspector General of Homeland Security was called upon to investigate and issue the public report, which resulted in the Post’s article. The precise group of individuals impacted are those who participated in FEMA’s Transitional Sheltering Assistant program, clearly adding injury to insult. Not surprisingly, FEMA disaster victims are not too happy to learn their personal data at risk after everything they’ve already been through.
It’s interesting to read FEMA’s statements downplaying the self-actuated data privacy failure. “FEMA provided more information than was necessary” when communicating disaster survivor information to the contractor, it concedes, revealing the third-party contractor obviously received it without any concept of the scope of what it was entitled to receive, and what FEMA was legally authorized to transfer. That’s a failure on both sides of epic proportions.
Though no identity theft or malicious abuse of the information has yet been reported, the Inspector General has been candid enough to admit that the survivors were at discernible risk of “identity theft and fraud.”
Also troubling is the statement in the Report that FEMA was told “it needed to install controls to make sure such data would not continue to be shared with contractors and that the agency needed to assess how wide the problem was and to make sure that data in the contractor’s system was destroyed.” In other words, the privacy breach is systemic and ongoing, even now, weeks later.
Indeed, “FEMA also said in the report that, since implementing its new procedures, it had twice sent internal security experts to conduct on-site checks of its network…” and that “FEMA has taken ‘aggressive measures to correct this error. FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system.” This shows a continuing inability to contain the spilled data, no different really than an oil spill that cannot be contained.
What’s completely absent from the Report is that software currently exits on the market that would have prevented this incident, enabled FEMA to differentially share data so that only essential lawful information was exposed to the contractor, and enable FEMA to retroactively deny access to information wrongly shared.
Unfortunately, until FEMA and other government agencies adopt available state-of-the-art Infosecurity software and implement effective disclosure protocols, the danger to privacy is not only from malicious actors. The danger also lies within their inadequate use of available technology and known security measures.
Image by Kelly Thomas