Late last-year, the Federal Emergency Management Agency (FEMA) was found to have exposed 2.3 million disaster survivors to identity theft and fraud by unnecessarily sending sensitive data to a government contractor administering FEMA’s emergency lodging program. The contractor, who failed to flag for FEMA the data oversharing, was found by the agency to have 11 cybersecurity vulnerabilities in its data and network facilities, seven of which won’t be remediated until 2020.
That same contractor currently supplies, and has since 2005, emergency lodging services to virtually all government agencies and sub-agencies, including the Department of Defense, the Coast Guard, the Department of Justice, the Department of Veteran’s Affairs, among others. Based on an investigation, it’s unclear if any determination has been made by the agencies that rely on the contractor for emergency lodging services whether they, too, were collecting or transmitting unnecessary sensitive data to the contractor. It’s further unclear the degree to which the identified cybersecurity vulnerabilities leave the contractor’s facilities exposed to external threats or whether the personal data of all the other agencies’ personnel are inadequately protected on the contractor’s vulnerable network.
On March 15, the Department of Homeland Security’s Office of Inspector General (OIG), issued a report alerting that FEMA had violated the Privacy Act of 1974 and Department of Homeland Security policy by needlessly releasing to the federal contractor administering the agency’s Transitional Sheltering Assistance (TSA) program the personally identifiable information (PII) and sensitive personally identifiable information (SPII) of 2.3 million disaster survivors of hurricanes Harvey, Irma and Maria, and the California wildfires in 2017.
Although the OIG’s report redacted the contractor’s name, the contractor is a Wichita, Kansas-based company called Corporate Lodging Consultants, Inc. (CLC), which is owned by a publicly traded commercial payments company, Fleetcor. CLC describes itself as the “nation’s …