When the US Department of Homeland Security’s inspector general revealed in March that federal workers had improperly given a lodging contractor the private information of 2.3 million disaster survivors, the name of the company was redacted.
“The contractor administering the TSA program, [REDACTED] helps disaster survivors obtain short-term lodging at participating hotels,” said the inspector general’s report (pdf) in detailing the DHS’s mishandling of data for victims of hurricanes Harvey, Maria, and Irma, as well as the 2017 California wildfires.
Only one government vendor matches the description of the unnamed contractor said to be involved in relief efforts for all four disasters, according to a Quartz analysis of public contracting records and a federal response to Freedom of Information Act request: CLC Lodging, a unit of a company called FleetCor.
FleetCor, based in Norcross, Georgia, administers femaevachotels.com, the portal for survivors seeking to take part in the Federal Emergency Management Agency’s Transitional Sheltering Assistance (TSA) program. CLC Lodging operates femaevachotels.com, which is publicly registered to the company. It’s the sole website for disaster survivors to find hotels that work with the TSA program and for hotels to validate that applicants have been approved by FEMA.
Blame for sending too much personal information to the contractor has been squarely shouldered by FEMA, which is part of DHS. Acting DHS inspector general John V. Kelly warned that the “disaster survivors involved in the privacy incident are at increased risk of identity theft and fraud.”
A 2018 FleetCor unit’s hacking incident, coupled with security vulnerabilities noted by the inspector general, means the disaster survivors’ personal data could have been in the company’s hands when one of its units experienced a breach. FleetCor says none of the survivors’ data had been compromised.
“Since the discovery that the information provided to CLC by FEMA did not comply with the agency’s current security rules and policies, we have cooperated fully and have confirmed that the information has not been compromised,” the company told Quartz in an email in response to the FOIA revelation. “As with all of the data that customers share with us, we deploy robust security practices designed to protect the information. Additionally, the superfluous data in question has been securely deleted from all CLC systems.”
What CLC Lodging does
The transitional program provides hotel accommodations for disaster survivors, typically for five to 14 days. CLC Lodging has been under contract with FEMA since at least 2008, according to the company’s website. Femaevachotels.com has been registered to FleetCor since 2009, according to the DomainTools database. The site’s public news feed also indicates FleetCor and CLC Lodging have been its sole operators.
Official guidance for the California wildfires directs survivors to use the CLC-operated website, as does the FEMA Fact Sheet (pdf) for Hurricane Harvey. The FEMA interactive map for disaster survivors also includes “CLCTEST HOTEL” and placed it in CLC Lodging’s base of Wichita, Kansas.
FleetCor’s cybersecurity history
A FleetCor company suffered from a cybersecurity breach during the time CLC Lodging would have been holding onto the improperly sent personal data of disaster survivors.
In May 2018, FleetCor—which is publicly held—reported “suspicious activity primarily on systems involving the Company’s Stored Value Solutions gift-card business,” on April 26 of that year. Though no customer information was said to have been accessed, information for gift cards six months or older was compromised, including PIN numbers. Stored Value Solutions says that it processes 1.5 billion transactions annually.
On an earnings call days after the 2018 hack, FleetCor CEO Ronald Clarke said that customer portals seemed to be the source of the security breach. “As we open up all our systems on the planet, there’s more opportunity to get into [user interfaces],” Clarke said.
A FEMA spokesperson would not confirm the name of contractor cited in the DHS inspector general’s report, adding that “there is no information to suggest any survivors’ data has been compromised.”
A FOIA request from Quartz to FEMA revealed that CLC Lodging was the only company contracted to work on the transitional program since 2013. The inspector general’s report said the contractor only keeps logs of who accesses its files for 30 days, and officials couldn’t find any intrusions in the month before the report was completed.
The inspector general’s report said the DHS team investigating the data mishandling by federal workers found 11 cybersecurity vulnerabilities in the unnamed company, four of which have been remedied at the time of the report.
“FEMA requested the contractor name be redacted to allow time for FEMA to complete its IT assessments and thwart potential cyber-attacks against the contractor while FEMA and the contractor work to address IT vulnerabilities,” a spokesperson for the DHS inspector general’s office told Quartz in an email.
Revenue after natural disasters
Outside of its work for FEMA, CLC Lodging seeks reduced rates for corporate clients by partnering with some of the largest US hotel chains. CLC was bought by FleetCor in 2009 and continued its federal contracting business.
Through its hotel booking and validation website, CLC directly generates revenue from responses to natural disasters, including more than $9 million in 2017, according to government spending records. FleetCor executives have publicly discussed the company’s relationship with FEMA.
“Now Hurricane Florence, which is again very unfortunate, but that could help like be a positive tailwind in the sense of FEMA customers again this year?” asked Deutsche Bank AG research analyst Ashish Sabadra on an investor call in September 2018.
“Well, we’ll see. I mean, again, we don’t hope for a hurricane anywhere, and we don’t want have people to be in a distressed situation,” replied FleetCor CFO Eric Dey. “But yes, if it does happen again, FEMA would call us, and we would probably get some incremental revenue out of it.”
Justin Rohrlich and Jeremy B. Merrill contributed to this story.