SBA emergency loan applicants’ data likely exposed

A breach at the Small Business Administration may have exposed personal information on almost 8,000 small businesses that applied to the agency’s Economic Injury Disaster Loan program (EIDL), recently expanded to include organizations affected by the COVID-19 pandemic.

The EIDL is a separate program from the Payroll Protection Program set up to offer small businesses relief as the coronavirus spread shuttered or compromised their operations and which ran out of funds quickly. Congress today reached a bipartisan deal to provide additional funding for the program.

“It’s clear that prioritizing services to save vulnerable small businesses in a pandemic is a priority, but this exposure begs more questions about application data handling risk,” said Mark Bower, senior vice president at comforte AG, who warned affected businesses “to be watchful for social engineering attacks which follow identity exposures leading to more sinister IT compromises and financial theft.”

Details of about the exposure of data, which may have included Social Security numbers, birth dates, email addresses, citizenship status, insurance information and addresses, were scarce, although the Washington Post reported that the SBA discovered the breach March 25 and does not believe the information has been exploited.

“In the face of disaster when people are losing their livelihood, it is perfectly normal to rush a solution to help those in need,” said Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, but the SBA incident underscores the importance of having “a culture of solid processes one can rely on when things get hectic and not make basic security mistakes.”

Jack Mannino, CEO at nVisium, agrees that the scramble to scale systems and “build new functionality outside of normal practices and methods” has left public services vulnerability. “It’s important to understand how these new services affect existing components and expose your users to new threats as you build secure development into your systems engineering,” he said.

The SBA sent out notification letters this month to businesses that may have been affected.

The agency said it “immediately disabled the impacted portion of the website, addressed the issue, and relaunched the application portal,” according to the report.

“While any data breach creates complications, to the benefit of the Small Business Association (SBA), they were able to limit the website access and prevent many more thousands of applicants from being affected,” said Heather Paunet, vice president of product management at Untangle. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.