Glitch May Have Exposed Data of Thousands of Small Businesses Applying for Federal Relief Loans
Nearly 8,000 applicants to a Small Business Administration loan program may have had their data shown to other users filling out the application.
- By Haley Samsel
- Apr 22, 2020
Thousands of small businesses seeking federal disaster loans in the wake of the coronavirus pandemic may have had their sensitive information exposed due to a glitch in a Small Business Administration program, according to The Washington Post.
Nearly 8,000 applicants to the Economic Injury Disaster Loan program may have had their personal information accidentally disclosed to other applicants. One government official told CNBC that the glitch occurred when an applicant was in the loan application portal and clicked the page’s back button.
When they saw the previous screen, the applicant may have seen information belonging to another small business owner instead of their own. The SBA discovered the flaw on March 25 and sent a letter to affected users, noting that personal information such as social security numbers, addresses, financial data and insurance information.
“We immediately disabled the website, we mitigated the risks, implemented additional safeguards to prevent any future inadvertent disclosure,” the letter reads. “To date, there is no evidence to suggest that there has been any attempt to misuse any of this information.”
The EDIL application, which usually assists businesses affected by natural disasters, has been expanded to include businesses affected by the COVID-19 crisis. (It is separate from the Paycheck Protection Program, which ran through $350 billion of available funding within two weeks).
Read More: Industry Groups Push For More Cybersecurity Funding In Future COVID-19 Stimulus Legislation
Applicants affected by the error have been offered a year of free credit and identity monitoring services to ensure that their information is not stolen. The Post reported that the SBA has not answered questions about how the breach was discovered or how long it lasted.
Security experts like Mark Bower, senior vice president at comforte AG, expressed concern that the need for speedy responses to the COVID-19 crisis has crowded out cybersecurity assurances during the application process.
“Have best practices like data-centric security been traded-off to launch quickly, leading to further exposure and attack down the line?” Bower said. “The last thing these businesses need is their identity data abuse cascading to deeper economic injury risk.“
The initial statements from the SBA make it difficult for affected parties to understand what the impact will be, said Tim Erlin, the vice president of product management and strategy at Tripwire. But credit monitoring services should help business owners know if their data has been used on the dark web.
“While any breach is unfortunate, it’s especially painful when the government exposes the personal data of citizens,” Erlin said. “There is likely plenty of blame to go around for an incident like this, but the focus should be on how trust can be restored and affected victims can be protected.”