FEMA Data Leak Brings Whole New Area of Privacy Concerns to Light

April 1, 2019

News broke last week that that the Federal Emergency Management Agency (“FEMA”) provided the personal information of 2.3 million natural disaster survivors to a contractor working for the agency’s Transitional Sheltering Assistance program. The individuals whose information was exposed included survivors of hurricanes Harvey, Irma and Maria and the 2017 California wildfires. The contractor to whom the information was shared was responsible for providing shelter to disaster survivors, often temporary housing such as hotels. There is a certain set of information that is required to be disclosed, in order for the contractor to be able to do its job and screen applicants, included name and eligibility information. However, FEMA provided 20 additional unnecessary data fields, including bank information, bank transit numbers, and the applicant’s specific address information. A spokeswoman for FEMA said that the information had been removed from the system following a review after the impropriety came to light.  While there is currently no indication that the survivor data was compromised, this incidents sheds light on the importance of cybersecurity in the wake of natural disasters.

Mistakes such as the one committed by FEMA can put individuals who are already suffering the horrors of a natural disaster at risk of having their information stolen.

There is a known problem with cybercriminals exploiting natural disasters and targeting both individuals and organizations that are involved. Victims of natural disasters are likely interact with government entities, insurance companies, and nonprofit organizations, some of which they may be unfamiliar with. Cybercriminals are aware of this and may either seek to exploit security weaknesses in those organizations, or attempt to impersonate them in “phishing” attacks on the victims. The National Center for Disaster Fraud was formed after Hurricane Katrina in 2005 to help combat disaster-related fraud scams, for both manmade and natural disasters. Since its formation, it has logged over 70,000 complaints connected with scams. There have been over 1,300 disaster fraud prosecutions in relation to Hurricane Katrina alone.

There is also the risk that companies who themselves are involved in natural disasters face. When a company’s physical assets are damaged because of an event such a hurricane or accompanying floods, their cyber assets can be left vulnerable. Cybercriminals can exploit those vulnerabilities and are likely to target companies in areas that are experiencing natural disasters, making back-up security measures vitally important.

Mistakes such as the one committed by FEMA can put individuals who are already suffering the horrors of a natural disaster at risk of having their information stolen. Everyone involved in disaster relief, but especially federal agencies need to be more vigilant when handling sensitive victim information, and have safeguards and checks in place to prevent leaks.

Rachel Posey, 25 March 2019