Approximately 8,000 who applied for a loan with the Small Business Administration (SBA) could have had their personal information exposed in a data breach, which exposed applicants’ information to other applicants.
The Economic Injury Disaster Loans (EIDL), the SBA program where the breach occurred, is typically to aid owners whose businesses are affected by disasters, such as, hurricanes and tornadoes. The recent CARES Act expanded the program to include those affected by the COVID-19 pandemic. The Act permits loans and up to $10,000 grants. EIDL is not part of the Paycheck Protection Program (PPP), another program created by the CARES Act, which was not affected by the breach.
The flaw was discovered on March 25, after which affected users were notified. The notification stated that exposed information includes “[social security and taxpayer ID numbers], addresses, date of birth, email, phone number, marital status, citizenship status, household size, income, disclosure inquiry, financial and insurance information.” As of April 13, the government has not identified any instances of bad actors using this information. Those affected have been offered free identity theft protection for a year.
The breach occurred when small business applicants were in the loan application portal and they clicked on the back button, once they clicked the button they may have seen another business owner’s information instead of their own. The SBA quickly disabled the part of the website where the breach occurred. It has since fixed the issue and the website is up and running.
The data breach only adds to business owner frustration. The EIDL program has been in high demand. Prior to the pandemic, “small businesses were supposed to be eligible for up to $2 million in disaster loans.” However, the SBA has granted approximately 27,000 loans at more than $5.5 million. However, due to demands loans were limited to $10,000. An additional 755,000 businesses received EIDL grants worth $3.3 billion and roughly 4 million business owners applied for loans worth $383 billion, which exceeds the $17 billion originally designated for these types of loans.