By Bill Zeeble, KERA News
http://stream.publicbroadcasting.net/production/mp3/kera/local-kera-808997.mp3
Dallas, TX – KERA has learned that private information of nearly 17,000 FEMA aid applicants was posted on public Web sites last week. That secure information apparently first went through the Texas Workforce Commission before it went online. KERA's Bill Zeeble reports.
FEMA says 16,857 names, Social Security and telephone numbers and other private information were publicly posted on two Web sites last week. The names belonged to applicants from Hurricane Katrina who had evacuated to Texas, but now live all across the Gulf Coast. FEMA's acting press secretary, Terry Monrad, says when the agency found out, the names were immediately removed.
Monrad: We are providing an 18-month subscription to ID theft service. And we are keeping them informed of everything we are doing.
KERA also discovered that the FEMA information went through the Texas Workforce Commission before it was posted to a pair of storage Web sites.
Ann Hatchitt, TWC Communications Director: We don't really know how that information got to a third party Web site.
Hatchitt: We need to take it one step at a time and determine if it was purposeful or not, or accidental or not. The TWC just learned about this so we'll take it one step at a time. First thing is definitely an internal investigation to determine how this could have happened.
Both the TWC and FEMA say they don't want this security breach to happen again. FEMA is calling all the people listed to offer the ID security subscription. An investigation continues.
FEMA's Released Statement Concerning the Breach:
On Tuesday, December 16, 2008, FEMA was alerted to an unauthorized breach of private information when an applicant notified FEMA that their personal information pertaining to Hurricane Katrina was posted on the Internet. FEMA took immediate and aggressive action to verify that the information posted was indeed tied to FEMA applicants from Hurricane Katrina. FEMA swiftly contacted the Web site hosting the private information and worked with them to have this private information removed from public view. Additionally, FEMA identified a second Web site posting the same information. We also contacted this second Web site and worked with them to have the private information removed from public view.
The information posted to the sites contained a spreadsheet with 16,857 lines of data that included applicant names, Social Security numbers, addresses, telephone numbers, email addresses and other disaster information regarding disaster applicants from Hurricane Katrina who had evacuated to Texas. Katrina evacuees listed were from across the Gulf Coast.
The format in which the information was displayed is not consistent with the applicant information contained in, or reported by, the National Emergency Management Information System (NEMIS) which houses FEMA's database of personal information. For instance, Social Security information was not in the same format as what would be provided by NEMIS. There were also fields that are foreign to the information maintained by FEMA. FEMA believes that most of the applicant information posted on the Web sites was properly released by FEMA to a state agency which requested and received this information to fulfill routine needs following Hurricane Katrina. While FEMA's release of this information was properly authorized under the Privacy Act and FEMA's process for protecting its applicants' personal information, the subsequent public posting of much of this data was not authorized by FEMA. FEMA and the state agency from which this unauthorized release may have originated are cooperating in a thorough investigation of this matter.
FEMA is attempting to notify all applicants whose information was posted on the Web site and explain the situation and the actions being taken to minimize the impact. The telephone notification will be followed by formal letters with the same information. Additionally, FEMA will provide an 18-month subscription to an identity theft protection service for the affected applicants. Through this service, applicants will have identity theft insurance and fraud resolution. Information explaining all the services being provided is being sent to the applicants.
FEMA regrets that this information was posted and is working collaboratively with its state partner and others to fully investigate this matter. The investigation will continue until the source and circumstances of the breach have been identified.