FEMA contractor at center of privacy violation provides services to many other agencies
Late last-year, the Federal Emergency Management Agency (FEMA) was found to have exposed 2.3 million disaster survivors to identity theft and fraud by unnecessarily sending sensitive data to a government contractor administering FEMA’s emergency lodging program. The contractor, who failed to flag for FEMA the data oversharing, was found by the agency to have 11 cybersecurity vulnerabilities in its data and network facilities, seven of which won’t be remediated until 2020.
That same contractor currently supplies, and has since 2005, emergency lodging services to virtually all government agencies and sub-agencies, including the Department of Defense, the Coast Guard, the Department of Justice, the Department of Veteran’s Affairs, among others. Based on an investigation, it’s unclear if any determination has been made by the agencies that rely on the contractor for emergency lodging services whether they, too, were collecting or transmitting unnecessary sensitive data to the contractor. It’s further unclear the degree to which the identified cybersecurity vulnerabilities leave the contractor’s facilities exposed to external threats or whether the personal data of all the other agencies’ personnel are inadequately protected on the contractor’s vulnerable network.