Mailing error by FEMA contractor affects hurricane victims
Technorati Tag: Security Breach
Date Reported:
10/14/08
Organization:
U.S. Government
Contractor/Consultant/Branch:
Department of Homeland Security
Federal Emergency Management Agency (FEMA)
Unnamed "mailing subcontractor"
Location:
Houston, Texas
Victims:
"hurricane victims"
Number Affected:
"as many as 1,000"
Types of Data:
"private data, including social security numbers, bank account numbers, insurance policy numbers and even annual income"
Breach Description:
"HOUSTON -- FEMA tells Fox 26, as many as 1,000 hurricane victims may have had their personal information exposed to a stranger."
Reference URL:
Fox Channel 26 News
Report Credit:
Fox Channel 26 News
Response:
From the online sources cited above:
The agency says an error by its mailing subcontractor placed one person's aid application under a cover page addressed to another person.
And each subsequent envelope in the batch was improperly stuffed.
[Evan] I have never worked for a mailing services company, but it seems logical to do a test run first then spot check every so often during the production run. Are test runs and checks common in the mailing industry? If not, I suppose a client company could certainly require it.
Houstonian Kevin Farquhar says he received a call from a man whose FEMA application packet contained Farquhar's name, address, social security number and even his annual income.
[Evan] Can you imagine?
Kevin Farquhar in northeast Houston ended up with documentation belonging to Brennon Jackson in Pearland
Jackson says he received the personal information of a Tomball man.
FEMA has apologized to both Farquhar and Jackson and offered them a year of free credit monitoring.
the agency tells Fox 26 it will extend that offer to anyone else whose most private data, including social security numbers, bank account numbers, insurance policy numbers and even annual income, was mistakenly sent to another applicant
[Evan] Should the agency be required to identify each affected individual and reach out to them with a notification (offering an explanation, protection tips, credit monitoring, etc.)? Seems as though they should.
Farquhar says has mailed Jackson's paperwork to him, and Jackson says he already mailed the document he received to its rightful owner in Tomball.
[Evan] Honest people will do these things, but we aren't worried about the honest people are we?
Commentary:
Here the agency you count on to help you could actually end up causing you more harm.
I have never been a big fan of sending confidential information through the mail. There are too many opportunities for unauthorized disclosure. If someone intercepts a confidential mailing and the receiver wasn't expecting it, how would the receiver know that his/her information was compromised?
Mailing errors will happen from time to time, but what controls do FEMA and its contractor employ to reduce the likelihood of incidents? ~1000 incorrect mailings without detection by the contractor or FEMA (a victim notified the media) seems like poor quality control. In response FEMA is offering credit monitoring. Monitoring will detect fraud AFTER it has occurred.
We won't even attempt to determine how FEMA protects sensitive information internally. We don't know.
Past Breaches:
U.S. Government:
March, 2008 - A breach that hits home with 2008 presidential candidates
March, 2008 - Laptop stolen from NHLBI contained personal health information
July, 2008 - Social Security Administration lists live people in the Death Master File
(and others, check sidebar)
Date Reported:10/14/08
Organization:
U.S. Government
Contractor/Consultant/Branch:
Department of Homeland Security
Federal Emergency Management Agency (FEMA)
Unnamed "mailing subcontractor"
Location:
Houston, Texas
Victims:
"hurricane victims"
Number Affected:
"as many as 1,000"
Types of Data:
"private data, including social security numbers, bank account numbers, insurance policy numbers and even annual income"
Breach Description:
"HOUSTON -- FEMA tells Fox 26, as many as 1,000 hurricane victims may have had their personal information exposed to a stranger."
Reference URL:
Fox Channel 26 News
Report Credit:
Fox Channel 26 News
Response:
From the online sources cited above:
The agency says an error by its mailing subcontractor placed one person's aid application under a cover page addressed to another person.
And each subsequent envelope in the batch was improperly stuffed.
[Evan] I have never worked for a mailing services company, but it seems logical to do a test run first then spot check every so often during the production run. Are test runs and checks common in the mailing industry? If not, I suppose a client company could certainly require it.
Houstonian Kevin Farquhar says he received a call from a man whose FEMA application packet contained Farquhar's name, address, social security number and even his annual income.
[Evan] Can you imagine?
Kevin Farquhar in northeast Houston ended up with documentation belonging to Brennon Jackson in Pearland
Jackson says he received the personal information of a Tomball man.
FEMA has apologized to both Farquhar and Jackson and offered them a year of free credit monitoring.
the agency tells Fox 26 it will extend that offer to anyone else whose most private data, including social security numbers, bank account numbers, insurance policy numbers and even annual income, was mistakenly sent to another applicant
[Evan] Should the agency be required to identify each affected individual and reach out to them with a notification (offering an explanation, protection tips, credit monitoring, etc.)? Seems as though they should.
Farquhar says has mailed Jackson's paperwork to him, and Jackson says he already mailed the document he received to its rightful owner in Tomball.
[Evan] Honest people will do these things, but we aren't worried about the honest people are we?
Commentary:
Here the agency you count on to help you could actually end up causing you more harm.
I have never been a big fan of sending confidential information through the mail. There are too many opportunities for unauthorized disclosure. If someone intercepts a confidential mailing and the receiver wasn't expecting it, how would the receiver know that his/her information was compromised?
Mailing errors will happen from time to time, but what controls do FEMA and its contractor employ to reduce the likelihood of incidents? ~1000 incorrect mailings without detection by the contractor or FEMA (a victim notified the media) seems like poor quality control. In response FEMA is offering credit monitoring. Monitoring will detect fraud AFTER it has occurred.
We won't even attempt to determine how FEMA protects sensitive information internally. We don't know.
Past Breaches:
U.S. Government:
March, 2008 - A breach that hits home with 2008 presidential candidates
March, 2008 - Laptop stolen from NHLBI contained personal health information
July, 2008 - Social Security Administration lists live people in the Death Master File
(and others, check sidebar)
Posted by Evan Francen at 10/17/2008 11:41 AM 
Categories: Federal Emergency Management Agency (FEMA), U.S. Government, Mailing Error
Categories: Federal Emergency Management Agency (FEMA), U.S. Government, Mailing Error
Posts Atom 1.0
Comments