The U.S. Federal Emergency Management Agency inadvertently shared 2.3 million disaster survivors’ personal data with a third-party contractor.
The slip was detailed in a Department of Homeland Security OIG report released on March 15. According to the Office of the Inspector General, twenty different types of sensitive personal data about the survivors was accidentally shared by FEMA, leaving those individuals at increased risk of fraud and identity theft.
FEMA’s Joint Assessment Team and Office of the Chief Information Officer are now auditing the network of the contractor to see if the data may have been further exposed.
FEMA’s efforts are further complicated by the fact that the contractor only retains network logs for 30 days. And, so far, FEMA’s cybersecurity experts have discovered 11 security vulnerabilities in the contractor’s network, and only four of them have been fixed, which means that hackers might have been able to easily access the network.
“According to FEMA, these assessments found no indication of intrusion within the last 30 days although the assessment identified that the contractor did not maintain logs past 30 days,” the OIG says.
The sensitive data has been erased from the contractor’s system, but the review of the contractor’s network is not expected to be concluded until June 30, 2020.