SBA May Have Exposed Data on 8,000 Loan Applicants

COVID-19 , Governance & Risk Management , IT Risk Management

Reports: Application Portal Flaw May Have Leaked Social Security Numbers, Other Data

SBA May Have Exposed Data on 8,000 Loan Applicants (Photo: Mr. Blue MauMau via Flickr/CC)

Watch for updates on this developing story.

See Also: Buyers Guide: Third-Party Cyber Risk Management

The U.S. Small Business Administration says a flaw in an online application portal may have exposed the personal data of approximately 8,000 loan applicants seeking help coping with the economic impact of the COVID-19 pandemic, according to the Washington Post and other media outlets.

Small business owners affected by the data leak were applying for loans through the SBA’s Economic Injury Disaster Loan program, which is normally designed to help in times of natural disasters, such as hurricanes, but has been revamped in recent weeks to provide loans for small businesses affected by the COVID-19 pandemic.

The security incident involving the Economic Injury Disaster Loan program and its online application portal did not affect the much larger Paycheck Protection Program, which has also been making loans to small businesses affected by the COVID-19 pandemic, the Post reports.

The flaw in the online portal was originally discovered on March 25. An SBA spokesperson told the Washington Post that the agency “immediately disabled the impacted portion of the website, addressed the issue, and relaunched the application portal.”

Before the portal was fixed, however, it appears that the personal information and data of some 8,000 small business owners may have been exposed to other applicants. The information could include Social Security numbers, addresses, dates of birth and possibly other financial data, according to the Post.

Small business owners recently started receiving letters from the SBA saying that their data may have been exposed, although it does not appear that any of this information has been misused at this point, according to copies of these letters, which have begun to appear online and on social media.

Portal Flaw

In the rush to obtain cash grants or loans through the Economic Injury Disaster Loan program, small business owners needed to process their applications through an SBA online portal.

That application portal, however, contained a flaw. If an applicant hit the page back button on the online loan application, the applicant may have seen personal and financial data that belonged to a different business owner rather than their own, according to CNBC, which cited an anonymous senior administration official.

It’s not clear what exactly caused this flaw, but the portal is now back online, CNBC reports. In the SBA letters posted online, the agency says it will offer free credit monitoring for one year for those affected.

Both the Economic Injury Disaster Loan and Paycheck Protection Program have been overwhelmed by demand since the start of the COVID-19 pandemic, which forced many businesses to close down indefinitely to keep the disease from spreading.

The $2.2 trillion stimulus bill, known as the CARES Act, that was signed into law in March included money for both programs, which quickly ran out due to demand.

More Financial Help on the Way

On Tuesday, the U.S. Senate approved a new aid package to assist small businesses and hospitals as well as provide funding for more testing. That proposal includes $320 billion more for the Paycheck Protection Program and about $60 billion earmarked for the Economic Injury Disaster Loan program, according to the New York Times.

The House is expected to vote on the measure Thursday, and President Donald Trump has signaled that he will sign it, according to the Times.

Share this post

Share on facebook
Share on linkedin
Share on print
Share on email

Subscribe to our Monthly Cyber Security Digest

Get monthly content to keep you up to date on the latest news and tips