The Federal Emergency Management Agency shared personal addresses and banking information of more than 2 million U.S. disaster survivors in what the agency acknowledged Friday was a “major privacy incident.” 

The data mishap, discovered recently and the subject of a report by the Department of Homeland Security’s Office of Inspector General, occurred when the agency shared sensitive, personally identifiable information of disaster survivors who used FEMA’S Transitional Sheltering Assistance program, according to officials at FEMA. Those affected included the victims of California wildfires in 2017 and Hurricanes Harvey, Irma and Maria, the report said.

In a statement, Lizzie Litzow, FEMA’s press secretary, said, “FEMA provided more information than was necessary” while transferring disaster survivor information to a contractor.

“We believe this oversharing has impacted approximately 2.5 million disaster survivors,” said a Department of Homeland Security official who asked for anonymity to provide background information beyond the official FEMA statement.

He said 1.8 million people had both their banking information and addresses revealed, and about 725,000 people had just their addresses shared.

It is unclear if the oversharing had led to identity theft or other malicious actions, he said.

“We don’t have any information that it has been compromised in a detrimental fashion,” the DHS official said.

The Inspector General report said the privacy mishap threatened survivors with “identity theft and fraud.” That report, dated March 15, estimated that 2.3 million people had been affected, slightly less than the estimate provided by the DHS official on Friday.

The Inspector General report told FEMA it needed to install controls to make sure such data would not continue to be shared with contractors and that the agency needed to assess how wide the problem was and to make sure that data in the contractor’s system was destroyed.

In the Inspector General report, FEMA said that once it became aware of the problem, the agency installed a data filter in December to prevent any unnecessary personal data of survivors from leaving its system. FEMA also said in the report that, since implementing its new procedures, it had twice sent internal security experts to conduct on-site checks of its network.

Litzow said FEMA has taken “aggressive measures to correct this error. FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system.” 

FEMA declined to identify the contractor.

Litzow said FEMA has been working with the contractor to remove the unnecessary data from its system. As an added measure, Litzow said, FEMA instructed contracted staff to complete additional DHS privacy training.

“This is unacceptable, and FEMA must demonstrate it will do better in the future,” said Rep. Bennie Thompson (D-Miss.), the chairman of the House Homeland Security Committee. “Safeguarding the information of Americans already suffering from a disaster should be of the utmost importance.”