The Federal Emergency Management Agency (FEMA) announced Friday it failed to protect 2.3 million disaster survivors’ sensitive personal information, potentially putting them at risk for identity theft and fraud.

The Department of Homeland Security Office of the Inspector General found that the breach happened as the agency was transferring information to a contractor to secure temporary housing for those impacted by hurricanes Harvey, Irma and Maria and the 2017 California wildfires.

The agency said it is taking steps to mitigate the situation by working with the contractor to remove unnecessary material from its databases.

“Since discovery of this issue, FEMA has taken aggressive measures to correct this error. FEMA is no longer sharing unnecessary data with the contractor and has conducted a detailed review of the contractor’s information system,” FEMA press secretary Lizzie Litzow said in a statement.

“To date, FEMA has found no indicators to suggest survivor data has been compromised,” she added. “FEMA has also worked with the contractor to remove the unnecessary data from the system and updated its contract to ensure compliance with Department of Homeland Security (DHS) cybersecurity and information-sharing standards.”

FEMA said it has instructed contractors to complete additional privacy training.

The watchdog report indicated that while certain personal information is required to be given to the agency, FEMA exposed banking information, including transfer numbers, and personal addresses, in violation of the Privacy Act of 1974.

FEMA said it plans to modernize how it transmits personal information by June 2020.