Cybersecurity, FEMA and Stewardship
FEMA’s mission involves assisting citizens as they face natural disasters (hurricanes, wildfires, etc.). Over the years, FEMA has had its ups and downs, mostly published in the media outlets. These have mostly involved missteps with the supplies, mobile homes, and various other issues.
When the citizens have been a victim of one of the natural disasters, they have too much on their mind with family, pets, home, and other assets. Feelings and emotions tend to run high during these times. The last thing they need to be concerned with is to work through identity theft or who have purchased their personal information.
Unfortunately, FEMA inadvertently allowed the unauthorized access to over 2M person’s private and confidential data. The issue was reported in the March 14, 2019 audit by the Department of Homeland Security’s Office of Inspector General report.
In the case of a disaster when the person applies for assistance from FEMA, the person is required to use the Transitional Sheltering Assistance Program. This program has assisted persons from the 2017 California wildfire, Hurricanes Howey, Irma, and Maria, and many other disasters. The exposed data was for the applicants of these natural disasters, numbering 2.3M to 2.5M. This included the home addresses and banking information (bank name and account number; with the bank’s name securing the routing number is easy). Of the affected persons, 1.8M had both types of data available to unauthorized parties, and 725 had only their address involved.
Normally this type of data may not be simply housed in a government database. This, however, was required from the applicant as this would be used for the payments for the assistance and to record data. There was a legitimate reason to have this.
The exposure presented another notable problem for FEMA. As a course of business, FEMA contracts with third parties for specific functions. Having all of the services that would be needed across the US within FEMA would be problematic, as the agency is not constantly assisting others. There is not a hurricane or massive wildfire every month. As part of this contractual agreement, certain information on the assistance recipients is necessary. FEMA has unintentionally given more information on the affected persons than what was required to a contractor. In this case, the contractor was involved with providing temporary housing.
The data shared with the had an additional 20 fields in the database, which should have not been sent, as this was not germane to their function and scope of work. In the Inspector General report, the contractor’s name had been redacted. FEMA effectively has the potential to put the affected persons at risk for identity theft and/ or fraud based on the error for the over 2.3M persons already stressed by the circumstances. This is also a violation of the Privacy Act of 1974 and the DHS Management Directive 11042.1.
The issue is rather notable. Once detected, this has led to changes in how FEMA manages its client’s personally identifiable information (PII). FEMA was working with the contractor to remove the unnecessary data from their system. DHS had two recommendations to FEMA for correcting the issue. First, FEMA implements controls to ensure only the authorized data is sent to the contractor. Second, FEMA ensures the data previously issued to the contractor is destroyed. Although this resolves one aspect of the issue, this does not directly or indirectly address the impact on the persons involved. They are still at risk and would have to pay for any identity monitoring services themselves.
When you demand and require from a person, especially with no bargaining power or leverage, data in exchange for services they require to live, you become a steward of the information. You are responsible for the safekeeping and acting as a reasonably prudent organization with this. The release of the data or unauthorized access has detrimental short- and long-term effects for the affected parties.
For an epic error of this magnitude to still be occurring is not acceptable at any level. The persons have to deal with having their lives uprooted with their respective natural disasters. In addition to this, the 2.3-2.5M persons now also have to deal with watching for their funds to evaporate into the ether, or possible identity theft if the purchaser is a crafty social engineer. This could, of course, been much worse for the affected parties. The issue brings up two points. What would make FEMA staff members think a contractor focused on providing the temporary housing would need with the affected person’s banking information? Also once they received the additional unauthorized data, why didn’t they notify FEMA? When the file was downloaded, seemingly the contractor’s staff would wonder why that was present.
Achenbach, J., Wan, W., & Romm, T. (2019, March 22). FEMA ‘major privacy-incident’ reveals data from 2.5 million disaster survivors. Retrieved from https://www.washingtonpost.com/national/health-science/fema-data-breach-hits-25-million-disaster-survivors/2019/03/22/ and https://www.chicagotribune.com/news/nationworld/ct-fema-privacy-data-breach-20190322-story.html
Associated Press. (2019, March 22). FEMA wrongfully released personal data of 2.3 million disaster victims: Watchdog. Retrieved from https://cnbc.com/2019/03/22/fema-exposed-personal-data-of-2point3-million-disaster-victims-watchdog.html
Brufke, J. (2019, March 22). FEMA exposed personal information of 2.3 million disaster survivors. Retrieved from https://thehill.com/policy/cybersecurity/435386-fema-exposed-personal-information-of-23-million-disaster-survivors
Keck, C. (2019, March). FEMA breach exposes personal data and banking information of 2.3 million disaster survivors. Retrieved from https://gizmodo.com/fema-breach-exposes-personal-data-and-banking-informati-183350871
Kelly, J.V. (2019, March 15). Management alert-FEMA did not safeguard disaster survivor’s sensitive personally identifiable information (REDACTED). Retrieved from https://www.oig.dhs.gov/sites/default/files/assets/2019-03/OIG-19-32-Mar19.pdf
Linton, C. (2019, March 22). FEMA exposed personal information of 2.3 million disaster victims. Retrieved from https://www.cbsnews.com/news/fema-data-breach-exposed-personal-information-of-2-3-million-disaster-victims/
Lyngaas, S. (2019, March 22). FEMA exposed personal data on 2.3 million disaster survivors, violated privacy law, IG finds. Retrieved from https://www.cyberscooop.com/fema-exposed-personal0data-2-3-million-disaster-survivors-violated-privacy-law-ig-finds/
Matt, N. (2019, March 23). FEMA privacy disaster reveals information of 2.5 million americans. Retrieved from https://www.tomshardware.com/news/fema-reveals-information-2-5-million-disaster-survivors.38903.html
Sukin, G. (2019, March 22). FEMA exposes personal, banking details of 2.5 million disaster survivors. Retrieved from https://www.axos.com/fema-data-breach-leaks-personal-banking-information-25-million-disaster-survivors-33912b1c-03b6-458f-a5cd-d791fb2bdb2.html
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.