Hurricane Katrina victims continue to be victimized with breach
Technorati Tag: Security Breach
Date Reported:
12/19/08
Organization:
U.S. Government
Contractor/Consultant/Branch:
Department of Homeland Security
Federal Emergency Management Agency (FEMA)
"a Texas state agency"
Location:
Washington, D.C.*
*Washington, D.C. is the location of FEMA headquarters. This was an online incident, so the physical location is not clear
Victims:
"FEMA applicants from Hurricane Katrina"
Number Affected:
16,857
Types of Data:
"names, social security numbers, addresses, telephone numbers, email addresses and other disaster information"
Breach Description:
"On Tuesday, December 16, 2008, FEMA was alerted to an unauthorized breach of private information when an applicant notified FEMA that their personal information pertaining to Hurricane Katrina was posted on the internet."
Reference URL:
FEMA Statement on the Release of Personal Information
The Times-Picayune
1105 Media
Fire Chief
Report Credit:
Federal Emergency Management Agency ("FEMA")
Response:
From the online sources cited above:
On Tuesday, December 16, 2008, FEMA was alerted to an unauthorized breach of private information when an applicant notified FEMA that their personal information pertaining to Hurricane Katrina was posted on the internet.
[Evan] Hurricane Katrina hit Louisianna on August 29th, 2005. Here we are more than three years later and the effects still linger. First was an act of nature, then acts of human error and negligence.
FEMA took immediate and aggressive action to verify that the information posted was indeed tied to FEMA applicants from Hurricane Katrina.
[Evan] I am surprised that FEMA responded so quickly to an alert from "an applicant" and took the matter so seriously. FEMA is a government agency, and we usually don't see bureaucracy work so well. Kudos to FEMA.
FEMA swiftly contacted the website hosting the private information, and worked with them to have this private information removed from public view.
Additionally, FEMA identified a second website posting the same information.
[Evan] This implies that FEMA also did a thorough job investigating. Many organization incident response teams would have likely missed a second breach.
We also contacted this second website and worked with them to have the private information removed from public view.
The information posted to the sites contained a spreadsheet with 16,857 lines of data that included applicant names, social security numbers, addresses, telephone numbers, email addresses and other disaster information regarding disaster applicants from Hurricane Katrina who had evacuated to Texas.
The 16,857 applicants were people who evacuated to Texas, and of that number, 16,372 were originally from Louisiana, officials said.
"We don't know where they are now," said FEMA spokeswoman Debra Young.
Katrina evacuees listed were from across the Gulf Coast.
The format in which the information was displayed is not consistent with the applicant information contained in, or reported by, the National Emergency Management Information System (NEMIS) which houses FEMA's database of personal information.
For instance, social security information was not in the same format as what would be provided by NEMIS.
There were also fields that are foreign to the information maintained by FEMA.
FEMA believes that most of the applicant information posted on the websites was properly released by FEMA to a state agency which requested and received this information to fulfill routine needs following Hurricane Katrina.
[Evan] I am very interested in knowing the name of the state agency that appears to have fault in releasing this information.
While FEMA's release of this information was properly authorized under the Privacy Act and FEMA's process for protecting its applicants' personal information, the subsequent public posting of much of this data was not authorized by FEMA.
FEMA and the state agency from which this unauthorized release may have originated are cooperating in a thorough investigation of this matter.
FEMA is attempting to notify all applicants whose information was posted on the website and explain the situation and the actions being taken to minimize the impact.
The telephone notification will be followed by formal letters with the same information.
Additionally, FEMA will provide an 18-month subscription to an identity theft protection service for the affected applicants.
FEMA regrets that this information was posted, and is working collaboratively with its state partner and others to fully investigate this matter.
The investigation will continue until the source and circumstances of the breach have been identified.
[Evan] Again, I am very interested in knowing more. Unfortunately, the general public is probably not as interested. The average lifespan of a breach notification is 24-48 hours, meaning people quickly lose interest in the news after 24-48 hours. Organizations know this and typically release only enough information to comply with the law initially. Once the 24-48 hours have passed, the organization views itself as "in the clear".
Commentary:
I know that FEMA has taken some serious heat in the past and deservedly so, but I am impressed with their response to this breach. I am impressed with the speed of the response (from alert by "an applicant" to public notice was ~3 days), the thoroughness of the initial investigation (finding the second site), and the leadership (stepping up and assuming some responsibility when a state agency may be more at fault). What makes this all the more impressive is the fact that we are talking about a federal agency!
I feel empathy for the Katrina victims more than anything else. I sincerely hope that no bad guys/gals found the information while it was publicly available, although nobody even knows how long it was even accessible.
Past Breaches:
U.S. Government:
March, 2008 - A breach that hits home with 2008 presidential candidates
March, 2008 - Laptop stolen from NHLBI contained personal health information
July, 2008 - Social Security Administration lists live people in the Death Master File
(and others, check sidebar)
FEMA:
October, 2008 - Mailing error by FEMA contractor affects hurricane victims
Date Reported:12/19/08
Organization:
U.S. Government
Contractor/Consultant/Branch:
Department of Homeland Security
Federal Emergency Management Agency (FEMA)
"a Texas state agency"
Location:
Washington, D.C.*
*Washington, D.C. is the location of FEMA headquarters. This was an online incident, so the physical location is not clear
Victims:
"FEMA applicants from Hurricane Katrina"
Number Affected:
16,857
Types of Data:
"names, social security numbers, addresses, telephone numbers, email addresses and other disaster information"
Breach Description:
"On Tuesday, December 16, 2008, FEMA was alerted to an unauthorized breach of private information when an applicant notified FEMA that their personal information pertaining to Hurricane Katrina was posted on the internet."
Reference URL:
FEMA Statement on the Release of Personal Information
The Times-Picayune
1105 Media
Fire Chief
Report Credit:
Federal Emergency Management Agency ("FEMA")
Response:
From the online sources cited above:
On Tuesday, December 16, 2008, FEMA was alerted to an unauthorized breach of private information when an applicant notified FEMA that their personal information pertaining to Hurricane Katrina was posted on the internet.
[Evan] Hurricane Katrina hit Louisianna on August 29th, 2005. Here we are more than three years later and the effects still linger. First was an act of nature, then acts of human error and negligence.
FEMA took immediate and aggressive action to verify that the information posted was indeed tied to FEMA applicants from Hurricane Katrina.
[Evan] I am surprised that FEMA responded so quickly to an alert from "an applicant" and took the matter so seriously. FEMA is a government agency, and we usually don't see bureaucracy work so well. Kudos to FEMA.
FEMA swiftly contacted the website hosting the private information, and worked with them to have this private information removed from public view.
Additionally, FEMA identified a second website posting the same information.
[Evan] This implies that FEMA also did a thorough job investigating. Many organization incident response teams would have likely missed a second breach.
We also contacted this second website and worked with them to have the private information removed from public view.
The information posted to the sites contained a spreadsheet with 16,857 lines of data that included applicant names, social security numbers, addresses, telephone numbers, email addresses and other disaster information regarding disaster applicants from Hurricane Katrina who had evacuated to Texas.
The 16,857 applicants were people who evacuated to Texas, and of that number, 16,372 were originally from Louisiana, officials said.
"We don't know where they are now," said FEMA spokeswoman Debra Young.
Katrina evacuees listed were from across the Gulf Coast.
The format in which the information was displayed is not consistent with the applicant information contained in, or reported by, the National Emergency Management Information System (NEMIS) which houses FEMA's database of personal information.
For instance, social security information was not in the same format as what would be provided by NEMIS.
There were also fields that are foreign to the information maintained by FEMA.
FEMA believes that most of the applicant information posted on the websites was properly released by FEMA to a state agency which requested and received this information to fulfill routine needs following Hurricane Katrina.
[Evan] I am very interested in knowing the name of the state agency that appears to have fault in releasing this information.
While FEMA's release of this information was properly authorized under the Privacy Act and FEMA's process for protecting its applicants' personal information, the subsequent public posting of much of this data was not authorized by FEMA.
FEMA and the state agency from which this unauthorized release may have originated are cooperating in a thorough investigation of this matter.
FEMA is attempting to notify all applicants whose information was posted on the website and explain the situation and the actions being taken to minimize the impact.
The telephone notification will be followed by formal letters with the same information.
Additionally, FEMA will provide an 18-month subscription to an identity theft protection service for the affected applicants.
FEMA regrets that this information was posted, and is working collaboratively with its state partner and others to fully investigate this matter.
The investigation will continue until the source and circumstances of the breach have been identified.
[Evan] Again, I am very interested in knowing more. Unfortunately, the general public is probably not as interested. The average lifespan of a breach notification is 24-48 hours, meaning people quickly lose interest in the news after 24-48 hours. Organizations know this and typically release only enough information to comply with the law initially. Once the 24-48 hours have passed, the organization views itself as "in the clear".
Commentary:
I know that FEMA has taken some serious heat in the past and deservedly so, but I am impressed with their response to this breach. I am impressed with the speed of the response (from alert by "an applicant" to public notice was ~3 days), the thoroughness of the initial investigation (finding the second site), and the leadership (stepping up and assuming some responsibility when a state agency may be more at fault). What makes this all the more impressive is the fact that we are talking about a federal agency!
I feel empathy for the Katrina victims more than anything else. I sincerely hope that no bad guys/gals found the information while it was publicly available, although nobody even knows how long it was even accessible.
Past Breaches:
U.S. Government:
March, 2008 - A breach that hits home with 2008 presidential candidates
March, 2008 - Laptop stolen from NHLBI contained personal health information
July, 2008 - Social Security Administration lists live people in the Death Master File
(and others, check sidebar)
FEMA:
October, 2008 - Mailing error by FEMA contractor affects hurricane victims
Posted by Evan Francen at 12/31/2008 1:06 PM 
Categories: Federal Emergency Management Agency (FEMA), U.S. Government, Employee Mistake
Categories: Federal Emergency Management Agency (FEMA), U.S. Government, Employee Mistake
Posts Atom 1.0
12-31-08
Well, FEMA is going to give "18" months identity screening. They've certainly got the defacto industry practice of one year credit monitoring beat, although I just do not know about what type of "protection" of the efficacy of any such "protection" it is for someone to tell that your credit may have be tampered with (after the fact, no less)with when it comes to home invasions, prosection for bad checks, and other things than can and do happen to people who have been victims of identity theft. In my personal opinion, the laws on this need to be comprehensively rewritten to provide for adequate redress in cases of gross negligence or intentional conduct on the part of the information holder who causes or allows sensitive personal information be compromised. Further, I believe that the doctrine of absolute immunity is one of the most ridiculous things we still have in our laws, stemming from the old doctrine of "the King can do no wrong". No one should be above the law, qualified good faith immunity should be good enough for anyone or any entity whatsoever.
Reply to this