The Federal Emergency Management Agency improperly released the personal data of some 2.3 million survivors of hurricane and wildfire disasters to a contractor, the Department of Homeland Security’s internal watchdog said late Friday.

Personal details including individuals’ home addresses and bank account numbers — data that exposes victims to potential identity theft and fraud — were improperly given to a contractor hired by FEMA to provide temporary housing to victims of hurricanes Harvey, Irma, and Maria and California wildfires in 2017, according to a memo released on Friday by the Department of Homeland Security’s Office of Inspector General.

FEMA provided more information than necessary to the vendor and has since taken steps to correct the error, FEMA spokeswoman Lizzie Litzow said in an emailed statement. In addition, there’s no indication that any of the 2.3 million people’s personal data has been compromised, she said.

The disclosures were made “in direct violation of Federal and DHS requirements,” and the watchdog recommended FEMA take action to prevent improper releases in the future. More than 20 types of “unnecessary” information was released by the agency, including six “sensitive” data types. The report didn’t name the contractor.

In a response included in the report, FEMA said it concurred with the recommendations and was taking “corrective actions.”

“FEMA has taken aggressive action to mitigate the issues raised within this report and strengthen the protection of survivor data,” Joel Doolin, a FEMA associate administrator, said in its response.

The excessive sharing of data was discovered during an audit of FEMA’s post-disaster sheltering program.