The Federal Emergency Management Agency (FEMA) last week publicly acknowledged that for roughly 10 years it unnecessarily exposed the personally identifiable information of roughly 2.5 million disaster survivors to a third-party contractor.

FEMA does not believe citizens’ data was compromised due to the error, which was originally reported last month by the U.S. Department of Homeland Security Office of the Inspector General. Still, as a precautionary measure, the federal agency will offer 18 months of free credit monitoring services to those affected by the breach.

The third-party vendor in question runs FEMA’s Transitional Sheltering Assistance program, which provides lodging for individuals who cannot return home following a disaster. In an online notification and corresponding letter to affected individuals, FEMA said that the approximately 2.5 million affected citizens had applied for federal disaster assistance between 2008 and late 2018 and were eligible to receive emergency lodging via the TSA program.

FEMA further explained that it originally started sharing survivors’ banking and home address information with the TSA contractor so that the third party could reimburse disaster victims for their incurred lodging costs. However, as of 2008, the reimbursement program ended, and since then the lodging providers have instead been paid directly through the program. Nevertheless, FEMA continued to share the same information with the contractor, even though it was no longer needed.

Of the individuals affected, about 1.8 million had their banking information shared.

FEMA said it has addressed the breach by permanently deleting the unnecessarily shared information from the contractor’s system, revising its data sharing process and conducting a security assessment of the contractor computer system.