Glitch May Have Exposed Data of Thousands of Small Businesses Applying for Federal Relief Loans

Nearly 8,000 applicants to a Small Business Administration loan program may have had their data shown to other users filling out the application.

Thousands of small businesses seeking federal disaster loans in the wake of the coronavirus pandemic may have had their sensitive information exposed due to a glitch in a Small Business Administration program, according to The Washington Post.

Nearly 8,000 applicants to the Economic Injury Disaster Loan program may have had their personal information accidentally disclosed to other applicants. One government official told CNBC that the glitch occurred when an applicant was in the loan application portal and clicked the page’s back button. 

When they saw the previous screen, the applicant may have seen information belonging to another small business owner instead of their own. The SBA discovered the flaw on March 25 and sent a letter to affected users, noting that personal information such as social security numbers, addresses, financial data and insurance information.

“We immediately disabled the website, we mitigated the risks, implemented additional safeguards to prevent any future inadvertent disclosure,” the letter reads. “To date, there is no evidence to suggest that there has been any attempt to misuse any of this information.” 

The EDIL application, which usually assists businesses affected by natural disasters, has been expanded to include businesses affected by the COVID-19 crisis. (It is separate from the Paycheck Protection Program, which ran through $350 billion of available funding within two weeks). 

Read More: Industry Groups Push For More Cybersecurity Funding In Future COVID-19 Stimulus Legislation

Applicants affected by the error have been offered a year of free credit and identity monitoring services to ensure that their information is not stolen. The Post reported that the SBA has not answered questions about how the breach was discovered or how long it lasted. 

Security experts like Mark Bower, senior vice president at comforte AG, expressed concern that the need for speedy responses to the COVID-19 crisis has crowded out cybersecurity assurances during the application process. 

“Have best practices like data-centric security been traded-off to launch quickly, leading to further exposure and attack down the line?” Bower said. “The last thing these businesses need is their identity data abuse cascading to deeper economic injury risk.“ 

The initial statements from the SBA make it difficult for affected parties to understand what the impact will be, said Tim Erlin, the vice president of product management and strategy at Tripwire. But credit monitoring services should help business owners know if their data has been used on the dark web. 

“While any breach is unfortunate, it’s especially painful when the government exposes the personal data of citizens,” Erlin said. “There is likely plenty of blame to go around for an incident like this, but the focus should be on how trust can be restored and affected victims can be protected.”

About the Author

Haley Samsel is an Associate Content Editor for the Infrastructure Solutions Group at 1105 Media.

Featured

  • Maximizing Your Security Budget This Year

    7 Ways You Can Secure a High-Traffic Commercial Security Gate  

    Your commercial security gate is one of your most powerful tools to keep thieves off your property. Without a security gate, your commercial perimeter security plan is all for nothing. Read Now

  • Making Safety and Security Intrinsic to School Design

    Public anxieties about school safety are escalating across the country. According to a 2023 Gallup report, 44% of parents fear for their child’s physical safety at school, a 10 percentage-point increase since 2019. Unfortunately, these fears are likely to increase if the incidence of school tragedies continues to mount. As a result, school leaders are now charged with two non-negotiable responsibilities. The first, as always, is to ensure kids have what they need to learn, grow, and thrive. Sadly, their second responsibility is to keep the children in their care safe from threats and physical danger. Read Now

  • The Power of a Layered Approach to Safety

    In a perfect world, every school would have an unlimited budget to help secure their schools. In reality, schools must prioritize what budget they have while navigating the complexities surrounding school security and lockdown. Read Now

  • How a Security System Can Enhance Arena Safety and the Fan Experience

    Ensuring guests have both a memorable experience and a safe one is no small feat for your physical security team. Stadiums, ballparks, arenas, and other large event venues are increasingly leveraging new technologies to transform the fan experience and maintain a high level of security. The goal is to preserve the integrity and excitement of the event while enhancing security and remaining “behind the scenes.” Read Now

Featured Cybersecurity

Webinars

New Products

  • Hanwha QNO-7012R

    Hanwha QNO-7012R

    The Q Series cameras are equipped with an Open Platform chipset for easy and seamless integration with third-party systems and solutions, and analog video output (CVBS) support for easy camera positioning during installation. A suite of on-board intelligent video analytics covers tampering, directional/virtual line detection, defocus detection, enter/exit, and motion detection. 3

  • 4K Video Decoder

    3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises. 3

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3