FEMA exposed personal data on 2.3 million disaster survivors, violated privacy law, IG finds

The negligence leaves the survivors of disasters at increased risk to identity fraud schemes.

The U.S. Federal Emergency Management Agency exposed personally identifiable data about more than 2 million disaster survivors in violation of a federal privacy law, an inspector general’s investigation has found.

The negligence leaves the survivors of hurricanes Irma, Harvey, and Maria, as well as the 2017 California wildfires, at increased risk of experiencing identity theft and fraud schemes, the Department of Homeland Security’s inspector general (IG) said in a report published Friday.

In “direct violation” of federal requirements, FEMA released the personal data to a contractor administering a disaster relief program that helps survivors find temporary lodging at hotels, the IG said. The report redacted the name of the contractor.

“During our ongoing audit of the Federal Emergency Management Agency’s (FEMA) Transitional Sheltering Assistance program, we determined that FEMA violated the Privacy Act of 1974 and Department of Homeland Security policy,” the inspector general said in its report.


Details about possible penalties for violating the law were not immediately clear.

FEMA sent the contractor data that included the names of disaster relief applicants’ banks and electronic funds transfer numbers, the IG said.

In a statement, FEMA Press Secretary Lizzie Litzow acknowledged that the agency had given the contractor “more information than was necessary,” adding that FEMA had “taken aggressive measures to correct this error.”

“FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system,” Litzow said.

The agency, she added, has worked with the contractor to “remove the unnecessary data from the system and updated its contract to ensure compliance” with DHS standards. FEMA has found “no indicators to suggest survivor data has been compromised,” she said.


Cybercriminals often look to exploit appeals for disaster relief to scam people. In the wake of Hurricane Florence last year, an interstate cybersecurity organization warned of a spike in financial fraud and malware.

The 2017 hurricane season was devastating. The three hurricanes cited in the IG report left over 3,000 people dead, with Maria, which ravaged Puerto Rico, accounting for the great majority of that toll. The wildfires in California that year killed at least 46 people and burned 1.2 million acres of land.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts