Breach Brief – FEMA, Dealer Leads
Federal Emergency Management Agency
As if your life isn’t screwed up enough after a natural disaster now you have to deal with a federal agency that spilled your personal data.
The Federal Emergency Management Agency (FEMA) admitted that for the last decade it has unnecessarily exposed the personally identifiable information of roughly 2.5 million disaster victims to a third-party contractor.
FEMA is notifying 2.5 million people their personal information was shared with a third party contractor that supports its transitional sheltering assistance program. Disaster victims who applied for temporary housing assistance between 2008 and 2018 may have been impacted. As many as 1.8 million people had there banking information exposed as a result of the breach. FEMA does not believe that any of the data was used for malicious purposes.
FEMA sent the contractor specific data to verify survivors’ eligibility for disaster assistance and lodging. That information included full names, dates of birth, eligibility start and end date, a FEMA registration number, and the last four digits of survivors’ Social Security numbers.
However the Office of the Inspector General (OIG) report found that FEMA also shared as many as 20 additional and unnecessary data fields with the contractor. This included six that contain particularly sensitive information, like survivor’s full home addresses, bank name, electronic funds transfer number, and bank transit number.
FEMA’s explanation for the breach is that it originally shared survivor’s banking and home address information with the TSA contractor in order to reimburse disaster victims for their incurred lodging costs. The reimbursement program was shut down in 2008 and housing payments have been paid directly through FEMA. But FEMA carelessly continued to share the same information with the contractor, even though it was no longer needed.
In response to the breach FEMA has permanently deleted the data from the contractor’s system, is revising its data sharing process and conducting a security assessment of the contractor computer system.
FEMA is also offering 18 months of free credit monitoring services to those affected by the breach. You can sign up using MyIDCare or calling FEMA directly at 1-833-300-6934. Operators are on duty Monday through Saturday from 9 a.m. to 9 p.m.
Are you looking for a new car? Did you buy a new or used car? Well congratulations your data has been exposed. An internet security researcher found an unsecured database of 198 million car buyers’ just sitting there online.
The information contained a lot of sensitive car buyer information. But before you panic there’s no evidence that the data was stolen by hackers. Thankfully the security guy found the database first.
Our hero is Jeremiah Fowler, senior security researcher at SecurityDiscovery.com. Fowler found the unsecured database contained records with the names, emails, phone numbers, addresses, IPs and other sensitive or identifiable information. The information was not encrypted so it was viewable in plain text.
As Fowler worked to track down the owner of the database he discovered it held information from multiple websites. After more investigation he discovered that the websites all linked back to Dealer Leads.
Dealer Leads is digital marketing company that helps small car-dealer franchises generate leads through websites Dealer Leads created or bought.
Dealer Leads has since secured the database after being informed by Fowler of the situation. Thanks guys. That was close!