FEMA mistakenly exposed personal information, including addresses and bank account information, of 2.3 million disaster victims, the Department of Homeland Security's Office of Inspector General said in a report released Friday. The breach occurred because FEMA did not ensure a private contractor only received information it required to perform its official duties, the report said.
The report found FEMA's failure to protect their data put them at risk of identity theft and fraud.
The Department of Homeland Security said it is working with the private contractor to remove the data from its system. The name of the contractor was redacted from the report.
According to the report, some of the data collected, such as addresses and Social Security numbers, were necessary to give aid. But other information, like electronic bank account information, is not considered necessary. The report concluded FEMA did not take steps to ensure it only received the necessary data.
FEMA has already been criticized for its response to the catastrophic 2017 hurricane season, with Harvey and Irma wreaking havoc on Texas and Florida and depleting resources before Maria struck Puerto Rico on September 20, 2017. A federal report released in 2018 foundfor the storm's impact.