Small Businesses Tapping COVID-19 Loans Hit with Data Exposure

The SBA said sensitive information about applicants may have been revealed to others applying for disaster loan program funds.

A data breach at the agency in charge of providing financial relief to small businesses during the COVID-19 crisis may have exposed sensitive information of 8,000 business that applied, and may delay payouts, a government official said.

The Small Business Administration (SBA), which oversees the Economic Injury Disaster Loan (EIDL) program, has notified applicants of the potential data leak, according to a published report by CNBC. EIDL is aimed at helping small businesses weather the economic fallout from shutdowns and the resulting loss of business during the pandemic.

The data exposed included names, Social Security numbers, tax identification numbers, addresses, dates of birth, email, phone numbers, marital and citizenship status, household size, income, disclosure inquiry and financial and insurance information, according to the news outlet, which said it obtained a letter sent to affected business owners.

The breach could only occur if an applicant to the program was working in the loan application portal of the SBA application system, a senior government official told CNBC.

If the user tried to go back a page on the application while they were using the portal, information that belonged to another business owner may have been visible, according to the report.

“We immediately disabled the impacted portion of the website, addressed the issue and relaunched the application portal,” the official told CNBC. However, at this time, the SBA is no longer accepting applications for the program.

The EIDL program in the past has been used to provide aid to businesses after disruption by natural disasters such as hurricanes and tornadoes. Congress recently expanded its role as part of a $2.2 trillion economic stimulus package, called the CARES Act, that the federal government approved to help companies affected by business shutdown during the coronavirus pandemic.

Four million small business owners applied for $383 billion in aid via the EIDL program, as well as for emergency grants that also are available, according to the SBA. The two programs are funded for just $17 billion.

One security expert said that the breach is not surprising, given that the portal was probably a rush job as the federal government scrambled to make program information and applications accessible as quickly as possible following its rollout.

“In the face of disaster when people are losing their livelihoods, it is perfectly normal to rush a solution to help those in need,” Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, said in an email to Threatpost. “The real lesson to learn is the necessity to have a culture of solid processes one can rely on when things get hectic and not make basic security mistakes.”

To provide reparation for the potential breach, the government offered affected businesses identity theft protection services for a year, according to CNBC. So far, no misuse of any information from the potential leak has been evident, officials said.

Still, security experts urged any business that could have been affected to use caution, as there still might be fallout from any potential breach.

“We still need to know more details, but if the breach occurred nearly a month ago, then it would have probably surfaced by now, had it been stolen,” Paul Bischoff, privacy advocate with Comparitech, said in an email to Threatpost. “Small businesses should hope for the best but prepare for the worst. That includes identity theft and phishing.”

Indeed, Mark Bower, senior vice president at comforte AG, concurred that businesses should keep an eye out for potential attack scenarios in the coming months due to the incident, which is “the last thing these businesses need.”

“Attackers are smart, following the money and the path of least resistance,” he said in an email to Threatpost. “Affected businesses really need to be watchful for social-engineering attacks which follow identity exposures leading to more sinister IT compromises and financial theft.”

Worried about your cloud security in the work-from-home era? On April 23 at 2 p.m. ET, join DivvyCloud and Threatpost for a FREE webinar, A Practical Guide to Securing the Cloud in the Face of Crisis. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. Please register here for this sponsored webinar.


Suggested articles