WASHINGTON, D.C. - Millions of disaster survivors are at risk of identity theft, including wildfire survivors in California.
The Washington Post is reporting that 2.5 million people affected by 2017 disasters like the Cascade Fire had their information exposed.
PRESS RELEASE FROM FEMA - Dec. 19. 2008 (Previous incident)
On Tuesday, December 16, 2008, FEMA was alerted to an unauthorized breach of private information when an applicant notified FEMA that their personal information pertaining to Hurricane Katrina was posted on the internet. FEMA took immediate and aggressive action to verify that the information posted was indeed tied to FEMA applicants from Hurricane Katrina. FEMA swiftly contacted the website hosting the private information, and worked with them to have this private information removed from public view. Additionally, FEMA identified a second website posting the same information. We also contacted this second website and worked with them to have the private information removed from public view.
The information posted to the sites contained a spreadsheet with 16,857 lines of data that included applicant names, social security numbers, addresses, telephone numbers, email addresses and other disaster information regarding disaster applicants from Hurricane Katrina who had evacuated to Texas. Katrina evacuees listed were from across the Gulf Coast.
The format in which the information was displayed is not consistent with the applicant information contained in, or reported by, the National Emergency Management Information System (NEMIS) which houses FEMA's database of personal information. For instance, social security information was not in the same format as what would be provided by NEMIS. There were also fields that are foreign to the information maintained by FEMA. FEMA believes that most of the applicant information posted on the websites was properly released by FEMA to a state agency which requested and received this information to fulfill routine needs following Hurricane Katrina. While FEMA's release of this information was properly authorized under the Privacy Act and FEMA's process for protecting its applicants' personal information, the subsequent public posting of much of this data was not authorized by FEMA. FEMA and the state agency from which this unauthorized release may have originated are cooperating in a thorough investigation of this matter.
FEMA is attempting to notify all applicants whose information was posted on the website and explain the situation and the actions being taken to minimize the impact. The telephone notification will be followed by formal letters with the same information. Additionally, FEMA will provide an 18-month subscription to an identity theft protection service for the affected applicants. Through this service, applicants will have identity theft insurance and fraud resolution. Information explaining all the services being provided is being sent to the applicants.
FEMA regrets that this information was posted, and is working collaboratively with its state partner and others to fully investigate this matter. The investigation will continue until the source and circumstances of the breach have been identified.
The Post says the breach happened when FEMA shared addresses and banking information of survivors with a contractor.
They are not sure if anyone's information has been compromised.
FEMA says its installed new controls to prevent breaches like this from happening again. An incident occurred to 2008, when private information was posted on the internet relating to survivors of Hurricane Katrina. You can read what FEMA said about that incident in the sidebar.
This only affects people impacted by 2017 natural disasters like the Cascade fire, Hurricanse Harvey, Irma and Maria.