Glitch May Have Exposed Data of Thousands of Small Businesses Applying for Federal Relief Loans

Nearly 8,000 applicants to a Small Business Administration loan program may have had their data shown to other users filling out the application.

Thousands of small businesses seeking federal disaster loans in the wake of the coronavirus pandemic may have had their sensitive information exposed due to a glitch in a Small Business Administration program, according to The Washington Post.

Nearly 8,000 applicants to the Economic Injury Disaster Loan program may have had their personal information accidentally disclosed to other applicants. One government official told CNBC that the glitch occurred when an applicant was in the loan application portal and clicked the page’s back button. 

When they saw the previous screen, the applicant may have seen information belonging to another small business owner instead of their own. The SBA discovered the flaw on March 25 and sent a letter to affected users, noting that personal information such as social security numbers, addresses, financial data and insurance information.

“We immediately disabled the website, we mitigated the risks, implemented additional safeguards to prevent any future inadvertent disclosure,” the letter reads. “To date, there is no evidence to suggest that there has been any attempt to misuse any of this information.” 

The EDIL application, which usually assists businesses affected by natural disasters, has been expanded to include businesses affected by the COVID-19 crisis. (It is separate from the Paycheck Protection Program, which ran through $350 billion of available funding within two weeks). 

Read More: Industry Groups Push For More Cybersecurity Funding In Future COVID-19 Stimulus Legislation

Applicants affected by the error have been offered a year of free credit and identity monitoring services to ensure that their information is not stolen. The Post reported that the SBA has not answered questions about how the breach was discovered or how long it lasted. 

Security experts like Mark Bower, senior vice president at comforte AG, expressed concern that the need for speedy responses to the COVID-19 crisis has crowded out cybersecurity assurances during the application process. 

“Have best practices like data-centric security been traded-off to launch quickly, leading to further exposure and attack down the line?” Bower said. “The last thing these businesses need is their identity data abuse cascading to deeper economic injury risk.“ 

The initial statements from the SBA make it difficult for affected parties to understand what the impact will be, said Tim Erlin, the vice president of product management and strategy at Tripwire. But credit monitoring services should help business owners know if their data has been used on the dark web. 

“While any breach is unfortunate, it’s especially painful when the government exposes the personal data of citizens,” Erlin said. “There is likely plenty of blame to go around for an incident like this, but the focus should be on how trust can be restored and affected victims can be protected.”

About the Author

Haley Samsel is an Associate Content Editor for the Infrastructure Solutions Group at 1105 Media.

Featured

  • CISA Kicks Off 20th Anniversary of Cybersecurity Awareness Month

    CISA Kicks Off 20th Anniversary of Cybersecurity Awareness Month

    The Cybersecurity and Infrastructure Security Agency (CISA) recently announced the kickoff of the 20th Cybersecurity Awareness Month. Throughout October, CISA and the National Cybersecurity Alliance (NCA) will focus on ways to “Secure Our World” by educating the public on how to stay safe online. Read Now

  • Cybersecurity Awareness Month: Top Five Action Items to Elevate Your Data Security Posture Management and Secure Your Data

    October is Cybersecurity Awareness Month, and every year most tips for security hygiene and staying safe have not changed. We’ve seen them all – use strong passwords, deploy multi-factor authentication (MFA), be vigilant to spot phishing attacks, regularly update software and patch your systems. These are great recommended ongoing tips and are as relevant today as they’ve ever been. But times have changed and these best practices can no longer be the bare minimum. Read Now

  • Boosting Safety and Efficiency

    Boosting Safety and Efficiency

    In alignment with the state of Mississippi’s mission of “Empowering Mississippi citizens to stay connected and engaged with their government,” Salient's CompleteView VMS is being installed throughout more than 150 state boards, commissions and agencies in order to ensure safety for thousands of constituents who access state services daily. Read Now

  • Live From GSX: Post-Show Review

    Live From GSX: Post-Show Review

    This year’s Live From GSX program was a rousing success! Again, we’d like to thank our partners, and IPVideo, for working with us and letting us broadcast their solutions to the industry. You can follow our Live From GSX 2023 page to keep up with post-show developments and announcements. And if you’re interested in working with us in 2024, please don’t hesitate to ask about our Live From programs for ISC West in March or next year’s GSX. Read Now

    • Industry Events
    • GSX

Featured Cybersecurity

New Products

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction. 3

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles. 3