Release Date: December 19, 2008
Release Number: FNF-08-089
On Tuesday, December 16, 2008, FEMA was alerted to an unauthorized breach of private information when an applicant notified FEMA that their personal information pertaining to Hurricane Katrina was posted on the internet. FEMA took immediate and aggressive action to verify that the information posted was indeed tied to FEMA applicants from Hurricane Katrina. FEMA swiftly contacted the website hosting the private information, and worked with them to have this private information removed from public view. Additionally, FEMA identified a second website posting the same information. We also contacted this second website and worked with them to have the private information removed from public view.
The information posted to the sites contained a spreadsheet with 16,857 lines of data that included applicant names, social security numbers, addresses, telephone numbers, email addresses and other disaster information regarding disaster applicants from Hurricane Katrina who had evacuated to Texas. Katrina evacuees listed were from across the Gulf Coast.
The format in which the information was displayed is not consistent with the applicant information contained in, or reported by, the National Emergency Management Information System (NEMIS) which houses FEMA's database of personal information. For instance, social security information was not in the same format as what would be provided by NEMIS. There were also fields that are foreign to the information maintained by FEMA. FEMA believes that most of the applicant information posted on the websites was properly released by FEMA to a state agency which requested and received this information to fulfill routine needs following Hurricane Katrina. While FEMA's release of this information was properly authorized under the Privacy Act and FEMA's process for protecting its applicants' personal information, the subsequent public posting of much of this data was not authorized by FEMA. FEMA and the state agency from which this unauthorized release may have originated are cooperating in a thorough investigation of this matter.
FEMA is attempting to notify all applicants whose information was posted on the website and explain the situation and the actions being taken to minimize the impact. The telephone notification will be followed by formal letters with the same information. Additionally, FEMA will provide an 18-month subscription to an identity theft protection service for the affected applicants. Through this service, applicants will have identity theft insurance and fraud resolution. Information explaining all the services being provided is being sent to the applicants.
FEMA regrets that this information was posted, and is working collaboratively with its state partner and others to fully investigate this matter. The investigation will continue until the source and circumstances of the breach have been identified.
Last Modified: Tuesday, 23-Dec-2008 10:49:44