FEMA Exposed 2.3 Million Disaster Victims' Private Data
(Mar 25, 2019)
The US Federal Emergency Management Agency (FEMA) inadvertently shared 2.3 million records of disaster survivors' Personally Identifiable Information (PII) with an unnamed contractor, according to the Department of Homeland Security OIG report released on March 15, 2019. At the time of this writing, FEMA's Joint Assessment Team and the Office of the Chief Information Officer are currently auditing the contractor to assess if the data was further exposed. Thus far, FEMA's investigators have found that the contractor only held their network logs for 30 days of which investigators found no evidence of a breach. However, investigators did identify that the contractor's network contained 11 unspecified vulnerabilities of which four have been mitigated. The exposed records contained information such as: bank transit number, city name, electronic funds transfer number, financial institution name, street address, and zip code. Other information such as birth dates, names, and the last four digits of Social Security Numbers is data that FEMA is allowed to share with contractors.
Recommendation: The exposure of Personally Identifiable Information (PII) requires affected individuals to take precautionary measures to protect their identity and their finances. Identity theft services can assist in preventing illicit purchases, or applying for financial services from taking place by actors using stolen data.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.