Here's the kicker, from an IT security perspective, from the AP story quoting a FEMA spokesperson:
FEMA's chief information officer is investigating who hacked into the system and where exactly the calls were placed to. At this point it appears a "hole" was left open by the contractor when the voice mail system was being upgraded, Olshanski said. Olshanski did not know who the contractor was or what hole specifically was left open, but he assured the hole has since been closed.
This illustrates an excellent, yet often overlooked, point. Despite all of the attention we spend focusing on zero-day vulnerabilities and exotic exploits and attacks, many times it's simply poor change control procedures, lack of urgency to patch, or carelessness that gets an organization bitten.
Fortunately, in this case, it only appears to have been $12,000 in illegal calls to the Middle East and Asia, and some egg of the face of FEMA and the DHS.