Late last-year, the Federal Emergency Management Agency (FEMA) was found to have exposed 2.3 million disaster survivors to identity theft and fraud by unnecessarily sending sensitive data to a government contractor administering FEMA’s emergency lodging program. The contractor, who failed to flag for FEMA the data oversharing, was found by the agency to have 11 cybersecurity vulnerabilities in its data and network facilities, seven of which won’t be remediated until 2020.
That same contractor currently supplies, and has since 2005, emergency lodging services to virtually all government agencies and sub-agencies, including the Department of Defense, the Coast Guard, the Department of Justice, the Department of Veteran’s Affairs, among others. Based on an investigation, it’s unclear if any determination has been made by the agencies that rely on the contractor for emergency lodging services whether they, too, were collecting or transmitting unnecessary sensitive data to the contractor. It’s further unclear the degree to which the identified cybersecurity vulnerabilities leave the contractor’s facilities exposed to external threats or whether the personal data of all the other agencies’ personnel are inadequately protected on the contractor’s vulnerable network.
On March 15, the Department of Homeland Security’s Office of Inspector General (OIG), issued a report alerting that FEMA had violated the Privacy Act of 1974 and Department of Homeland Security policy by needlessly releasing to the federal contractor administering the agency’s Transitional Sheltering Assistance (TSA) program the personally identifiable information (PII) and sensitive personally identifiable information (SPII) of 2.3 million disaster survivors of hurricanes Harvey, Irma and Maria, and the California wildfires in 2017.
Although the OIG’s report redacted the contractor’s name, the contractor is a Wichita, Kansas-based company called Corporate Lodging Consultants, Inc. (CLC), which is owned by a publicly traded commercial payments company, Fleetcor. CLC describes itself as the “nation's leading provider of workforce lodging rates” and has been the federal government’s sole official provider of emergency lodging services since 2005 under a blanket purchase agreement with the General Services Administration (GSA), a contract that is now on its third iteration. CLC did not respond to requests for comments.
FEMA’s overcollection and transmission of the survivors’ SPII came about because a previous but now suspended program, call the TSA-Reimbursable Program (TSAR), required emergency lodging applicants to provide the SPII so they could be directly reimbursed by CLC. The privacy incident occurred because FEMA did not take steps to ensure it provided only required data elements to CLC. Moreover, CLC did not notify FEMA that the agency was providing unnecessary PII and SPII for eligible disaster survivors.
The collection and transmission of the survivors’ data, which encompassed 20 unnecessary data fields including full addresses, financial institution names, electronic funds transfer numbers and bank transit numbers, placed survivors seeking disaster-related housing under the TSA program at increased risk of identity theft and fraud. After sanitizing the unnecessary data from the contractor’s systems and after deploying a joint assessment team of cybersecurity personnel to the contractor’s facilities, FEMA discovered 11 security vulnerabilities in the contractor’s network, only four of which had been remediated as of March 2019. The contractor is developing remediation plans for the remaining seven vulnerabilities, which won’t be fully implemented until June 30, 2020.
(Although we identified CLC as the contractor in early April, Dave Gershgorn at Quartz first went public with the contractor’s name on April 9 in this piece. We identified the parent company of CLC in the exact same manner as Gershgorn: through a search of the federal contracts database administer by GSA.)
Under the contract, CLC provides lodging negotiations and management services for the federal government, allowing agencies to centrally source, manage, pay, audit and report out on their emergency lodging response purchases. CLC has established relationships with more than 15,000 hotels in North America, and seeks to not only serve as a lodging facilitator for the government but also tries to negotiate lower-than-market rates for government clients.
According to its blanket purchase agreement with GSA, under which all eligible government entities can arrange for using CLC to provide emergency lodging, CLC is paid a per-room night fee according to a schedule that starts at $2.88 per room night and drops with bulk discounts, ending with a $1.92 per room night fee for government clients which request more than two million room nights per year. CLC bills the government at cost for the hotel and other lodging facility charges. Lodgers, however, are usually required to provide credit cards for incidental charges and damages to the room, or in some cases pay CLC directly with a government credit card, check or wire transfer.
Does PII and SPII data exposure go beyond FEMA?
According to the GSA’s Federal Procurement Data System (FPDS), CLC has since October 2007 (the earliest entry in the FPDS database) provided lodging services to thirteen different government agencies and 26 sub-agencies of the federal government, including FEMA, which is the largest government client by a wide margin.
The federal government agencies to which CLC has provided lodging services since 2007 include:
- Corporation for National and Community Service (CNCS)
- Department of Agriculture (USDA)
- Department of Commerce (DOC)
- Department of Defense (DOD)
- Department of Homeland Security (DHS)
- Department of Justice (DOJ)
- Department of Labor (DOL)
- Department of State (DOS)
- Department of The Interior (DOI)
- Department of Transportation (DOT)
- Department of Veterans Affairs (VA)
- Environmental Protection Agency (EPA)
- General Services Administration (GSA)
Although the data from the FPDS is difficult to analyze, since October 2007 the federal government has spent at least an estimated $100 million on CLC’s services, with the total “potential” value of the government award since 2007 worth an estimated $1.9 billion. The vast majority of the government spending on CLC flows to the DHS, with most of that spending accountable by FEMA. However, the U.S. Coast Guard, which operates under DHS, has accounted for at least $11.7 million and potentially up to $66.4 million of DHS’s spending with CLC. U.S. Customs and Border Protection, also operating under DHS, accounted for nearly $400,000 of the department’s total.
Another arm of the government that relies on CLC’s services is the Department of Justice’s Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF), which has spent at least $3 million and possibly up to $15 million on emergency lodging services through CLC since 2007. The Department of Veteran’s Affairs has spent an estimated minimum of $2.4 million and possibly up to $15.7 million arranging emergency lodging services through CLC. The Corporation for National and Community Services, which runs the Americorps and Senior Corps government volunteer programs, has spent at least $15.5 million and up to $18.4 million on CLC since 2007.
The risk, of course, is whether these other government agencies were, like FEMA, supplying unnecessary PII or SPII to CLC, exposing their workers to identity theft or fraud. “You have to ask what other government agencies are sharing different data with [CLC],” Dave Kennedy, CEO of cybersecurity firms TrustedSec and Binary Defense, says. “More data might be at risk. Other government agencies should be conducting the same investigation.”
Whether government workers from the other agencies were in fact exposed to identity theft or fraud is contingent on what information the other agencies supplied to CLC. “There is a potential there for identity theft,” Sara Jodka, head of the data privacy and cybersecurity practice at Dickinson Wright, says. “It really depends on what data components you have.”
The fact that most of these government agencies’ lodging requests reflect sensitive personnel in emergency situations could speak to exposure of data that might be not only a potential privacy violation but also a government security concern, particularly given the insecure nature of CLC’s facilities. “Each of those eleven vulnerabilities is a separate door that could take us into additional government information,” Jodka said.
Matthew Hickey, co-founder and director of computer security company Hacker House, thinks the data housed by CLC might be of particular interest to foreign intelligence services seeking to harm U.S. interests. “The agencies the contractor supplies services to makes the information high value for someone involved in espionage or seeking to blackmail U.S. government employees in an effort to obtain sensitive information,” Hickey said in an email.
CSO asked whether DHS or FEMA in their joint investigation had made any efforts to determine whether the government users from these other agencies or even DHS’s own other sub-agencies had unnecessary SPII stored on CLC’s systems. We also asked whether DHS or FEMA had informed the other agencies of the vulnerabilities they found in CLC’s systems. A FEMA spokesperson referred us to DHS. DHS did not respond to requests for this information.
What is the risk from the other 11 CLC vulnerabilities?
Other risks stem from the 11 vulnerabilities identified in CLC’s systems. The fact that the cybersecurity specialists sent by FEMA and DHS found so many vulnerabilities, most of which can’t be fixed for at least a year, indicate that the risks might be severe. “Even without understanding the criticality of them, that means systemic larger issues,” Kennedy says. “Non-major issues are pretty quick to fix.”
Hickey, however, has a slightly different interpretation. He says that “if a vulnerability is not to be patched until 2020, it indicates that it may not put the information at a significant risk in the immediate future.”
Requests to both DHS and FEMA for a copy of the joint assessment team’s report outlining the vulnerabilities, or a list of what those vulnerabilities are, went unanswered. A FEMA spokesperson says via email that “due to security concerns, FEMA will not provide further comment on the results of our assessment due to our responsibility to protect applicant data and the systems that house them. FEMA continues to work with the contractor to ensure compliance with the Department’s cybersecurity requirements and overarching federal guidance on information security.”
No survivor data was compromised--maybe
FEMA has repeatedly stressed that, as one spokesperson reiterated in an email, “there has been no information to suggest that survivor data has been compromised.” However, FEMA was only able to examine 30 days’ worth of potential intrusion activity because CLC did not maintain system logs past the previous 30 days. Kennedy said that sound industry practices typically require log retention for up to a year and that 30 days is insufficient for determining whether a compromise has occurred.
A memo from DHS’s John Doolin, attached to the March 15 OIG report, states that on December 7, 2018, FEMA performed a unilateral contract modification to incorporate “cybersecurity clauses” into CLC’s contract that require the company to implement “robust cybersecurity practices in all phases of program administration” and mandate the most current DHS privacy training as it relates to PII and SPII.
According to the summary of the contract modification available on the federal contractor system, “the purpose of the modification is to incorporate two Cyber Hygiene Clauses into the Corporate Lodging Consultants Inc. contract” but offers no details about those clauses. Requests to DHS, FEMA and GSA for a copy of the contract modification did not yield any information.
Why FEMA and DHS maintained such a high-level of secrecy around the name of CLC, redacting it from the report, and refused to discuss the vulnerabilities found in CLC’s network, is a bit of mystery given how easily anyone can identify CLC as the redacted contractor. Any malicious actor with enough hacking chops who is interested in discovering CLC’s vulnerabilities likely already has done so, leaving only the other government agencies and potential identity theft victims, in the dark. “Keeping information secret doesn’t protect anybody,” Kennedy says.