Late last-year, the Federal Emergency Management Agency (FEMA) was found to have exposed 2.3 million disaster survivors to identity theft and fraud by unnecessarily sending sensitive data to a government contractor administering FEMA\u2019s emergency lodging program. The contractor, who failed to flag for FEMA the data oversharing, was found by the agency to have 11 cybersecurity vulnerabilities in its data and network facilities, seven of which won\u2019t be remediated until 2020.That same contractor currently supplies, and has since 2005, emergency lodging services to virtually all government agencies and sub-agencies, including the Department of Defense, the Coast Guard, the Department of Justice, the Department of Veteran\u2019s Affairs, among others. Based on an investigation, it\u2019s unclear if any determination has been made by the agencies that rely on the contractor for emergency lodging services whether they, too, were collecting or transmitting unnecessary sensitive data to the contractor. It\u2019s further unclear the degree to which the identified cybersecurity vulnerabilities leave the contractor\u2019s facilities exposed to external threats or whether the personal data of all the other agencies\u2019 personnel are inadequately protected on the contractor\u2019s vulnerable network.On March 15, the Department of Homeland Security\u2019s Office of Inspector General (OIG), issued a report alerting that FEMA had violated the Privacy Act of 1974 and Department of Homeland Security policy by needlessly releasing to the federal contractor administering the agency\u2019s Transitional Sheltering Assistance (TSA) program the personally identifiable information (PII) and sensitive personally identifiable information (SPII) of 2.3 million disaster survivors of hurricanes Harvey, Irma and Maria, and the California wildfires in 2017.Although the OIG\u2019s report redacted the contractor\u2019s name, the contractor is a Wichita, Kansas-based company called Corporate Lodging Consultants, Inc. (CLC), which is owned by a publicly traded commercial payments company, Fleetcor. CLC describes itself as the \u201cnation's leading provider of workforce lodging rates\u201d and has been the federal government\u2019s sole official provider of emergency lodging services since 2005 under a blanket purchase agreement with the General Services Administration (GSA), a contract that is now on its third iteration. CLC did not respond to requests for comments.FEMA\u2019s overcollection and transmission of the survivors\u2019 SPII came about because a previous but now suspended program, call the TSA-Reimbursable Program (TSAR), required emergency lodging applicants to provide the SPII so they could be directly reimbursed by CLC. The privacy incident occurred because FEMA did not take steps to ensure it provided only required data elements to CLC. Moreover, CLC did not notify FEMA that the agency was providing unnecessary PII and SPII for eligible disaster survivors.The collection and transmission of the survivors\u2019 data, which encompassed 20 unnecessary data fields including full addresses, financial institution names, electronic funds transfer numbers and bank transit numbers, placed survivors seeking disaster-related housing under the TSA program at increased risk of identity theft and fraud. After sanitizing the unnecessary data from the contractor\u2019s systems and after deploying a joint assessment team of cybersecurity personnel to the contractor\u2019s facilities, FEMA discovered 11 security vulnerabilities in the contractor\u2019s network, only four of which had been remediated as of March 2019. The contractor is developing remediation plans for the remaining seven vulnerabilities, which won\u2019t be fully implemented until June 30, 2020.(Although we identified CLC as the contractor in early April, Dave Gershgorn at Quartz first went public with the contractor\u2019s name on April 9 in this piece. We identified the parent company of CLC in the exact same manner as Gershgorn: through a search of the federal contracts database administer by GSA.)Under the contract, CLC provides lodging negotiations and management services for the federal government, allowing agencies to centrally source, manage, pay, audit and report out on their emergency lodging response purchases. CLC has established relationships with more than 15,000 hotels in North America, and seeks to not only serve as a lodging facilitator for the government but also tries to negotiate lower-than-market rates for government clients.According to its blanket purchase agreement with GSA, under which all eligible government entities can arrange for using CLC to provide emergency lodging, CLC is paid a per-room night fee according to a schedule that starts at $2.88 per room night and drops with bulk discounts, ending with a $1.92 per room night fee for government clients which request more than two million room nights per year. CLC bills the government at cost for the hotel and other lodging facility charges. Lodgers, however, are usually required to provide credit cards for incidental charges and damages to the room, or in some cases pay CLC directly with a government credit card, check or wire transfer.Does PII and SPII data exposure go beyond FEMA?According to the GSA\u2019s Federal Procurement Data System (FPDS), CLC has since October 2007 (the earliest entry in the FPDS database) provided lodging services to thirteen different government agencies and 26 sub-agencies of the federal government, including FEMA, which is the largest government client by a wide margin.The federal government agencies to which CLC has provided lodging services since 2007 include:Corporation for National and Community Service (CNCS)Department of Agriculture (USDA)Department of Commerce (DOC)Department of Defense (DOD)Department of Homeland Security (DHS)Department of Justice (DOJ)Department of Labor (DOL)Department of State (DOS)Department of The Interior (DOI)Department of Transportation (DOT)Department of Veterans Affairs (VA)Environmental Protection Agency (EPA)General Services Administration (GSA)Although the data from the FPDS is difficult to analyze, since October 2007 the federal government has spent at least an estimated $100 million on CLC\u2019s services, with the total \u201cpotential\u201d value of the government award since 2007 worth an estimated $1.9 billion. The vast majority of the government spending on CLC flows to the DHS, with most of that spending accountable by FEMA. However, the U.S. Coast Guard, which operates under DHS, has accounted for at least $11.7 million and potentially up to $66.4 million of DHS\u2019s spending with CLC. U.S. Customs and Border Protection, also operating under DHS, accounted for nearly $400,000 of the department\u2019s total.Another arm of the government that relies on CLC\u2019s services is the Department of Justice\u2019s Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF), which has spent at least $3 million and possibly up to $15 million on emergency lodging services through CLC since 2007. The Department of Veteran\u2019s Affairs has spent an estimated minimum of $2.4 million and possibly up to $15.7 million arranging emergency lodging services through CLC. The Corporation for National and Community Services, which runs the Americorps and Senior Corps government volunteer programs, has spent at least $15.5 million and up to $18.4 million on CLC since 2007.The risk, of course, is whether these other government agencies were, like FEMA, supplying unnecessary PII or SPII to CLC, exposing their workers to identity theft or fraud. \u201cYou have to ask what other government agencies are sharing different data with [CLC],\u201d Dave Kennedy, CEO of cybersecurity firms TrustedSec and Binary Defense, says. \u201cMore data might be at risk. Other government agencies should be conducting the same investigation.\u201dWhether government workers from the other agencies were in fact exposed to identity theft or fraud is contingent on what information the other agencies supplied to CLC. \u201cThere is a potential there for identity theft,\u201d Sara Jodka, head of the data privacy and cybersecurity practice at Dickinson Wright, says. \u201cIt really depends on what data components you have.\u201dThe fact that most of these government agencies\u2019 lodging requests reflect sensitive personnel in emergency situations could speak to exposure of data that might be not only a potential privacy violation but also a government security concern, particularly given the insecure nature of CLC\u2019s facilities.\u00a0 \u201cEach of those eleven vulnerabilities is a separate door that could take us into additional government information,\u201d Jodka said.Matthew Hickey, co-founder and director of computer security company Hacker House, thinks the data housed by CLC might be of particular interest to foreign intelligence services seeking to harm U.S. interests. \u201cThe agencies the contractor supplies services to makes the information high value for someone involved in espionage or seeking to blackmail U.S. government employees in an effort to obtain sensitive information,\u201d Hickey said in an email.CSO asked whether DHS or FEMA in their joint investigation had made any efforts to determine whether the government users from these other agencies or even DHS\u2019s own other sub-agencies had unnecessary SPII stored on CLC\u2019s systems. We also asked whether DHS or FEMA had informed the other agencies of the vulnerabilities they found in CLC\u2019s systems. A FEMA spokesperson referred us to DHS. DHS did not respond to requests for this information.What is the risk from the other 11 CLC vulnerabilities?Other risks stem from the 11 vulnerabilities identified in CLC\u2019s systems. The fact that the cybersecurity specialists sent by FEMA and DHS found so many vulnerabilities, most of which can\u2019t be fixed for at least a year, indicate that the risks might be severe. \u201cEven without understanding the criticality of them, that means systemic larger issues,\u201d Kennedy says. \u201cNon-major issues are pretty quick to fix.\u201dHickey, however, has a slightly different interpretation. He says that \u201cif a vulnerability is not to be patched until 2020, it indicates that it may not put the information at a significant risk in the immediate future.\u201dRequests to both DHS and FEMA for a copy of the joint assessment team\u2019s report outlining the vulnerabilities, or a list of what those vulnerabilities are, went unanswered. A FEMA spokesperson says via email that \u201cdue to security concerns, FEMA will not provide further comment on the results of our assessment due to our responsibility to protect applicant data and the systems that house them. FEMA continues to work with the contractor to ensure compliance with the Department\u2019s cybersecurity requirements and overarching federal guidance on information security.\u201dNo survivor data was compromised--maybeFEMA has repeatedly stressed that, as one spokesperson reiterated in an email, \u201cthere has been no information to suggest that survivor data has been compromised.\u201d However, FEMA was only able to examine 30 days\u2019 worth of potential intrusion activity because CLC did not maintain system logs past the previous 30 days. Kennedy said that sound industry practices typically require log retention for up to a year and that 30 days is insufficient for determining whether a compromise has occurred.A memo from DHS\u2019s John Doolin, attached to the March 15 OIG report, states that on December 7, 2018, FEMA performed a unilateral contract modification to incorporate \u201ccybersecurity clauses\u201d into CLC\u2019s contract that require the company to implement \u201crobust cybersecurity practices in all phases of program administration\u201d and mandate the most current DHS privacy training as it relates to PII and SPII. \u00a0According to the summary of the contract modification available on the federal contractor system, \u201cthe purpose of the modification is to incorporate two Cyber Hygiene Clauses into the Corporate Lodging Consultants Inc. contract\u201d but offers no details about those clauses. Requests to DHS, FEMA and GSA for a copy of the contract modification did not yield any information.Why FEMA and DHS maintained such a high-level of secrecy around the name of CLC, redacting it from the report, and refused to discuss the vulnerabilities found in CLC\u2019s network, is a bit of mystery given how easily anyone can identify CLC as the redacted contractor. Any malicious actor with enough hacking chops who is interested in discovering CLC\u2019s vulnerabilities likely already has done so, leaving only the other government agencies and potential identity theft victims, in the dark.\u00a0 \u201cKeeping information secret doesn\u2019t protect anybody,\u201d Kennedy says.