A data breach at the agency tasked to provide financial assistance to small businesses during the COVID-19 pandemic has exposed sensitive data of approximately 8,000 small businesses. As a result, a delay in payouts is expected.
The Small Business Administration (SBA), which oversees the Economic Injury Disaster Loan (EIDL) program, has notified applicants of the potential data breach. The EIDL is designed to help small businesses stay afloat during the COVID-19 outbreak.
According to news reports, the data exposed, includes names, Social Security #’s, tax IDs, addresses, birth dates, email, phone numbers, marital and citizenship status, household size, income, disclosure inquiry, and financial and insurance information. A letter was sent to affected business owners explaining the breach.
HOW THE BREACH HAPPENED:
The breach could only occur if a loan applicant was working in the loan application portal of the SBA application system, says a senior government official. The exposure occurred if the user attempted to go back a page on the application while in the portal, at which point, sensitive data belonging to another business owner may have become visible.
“We immediately disabled the impacted portion of the website, addressed the issue, and relaunched the application portal,” the official states. However, at this time, the SBA is not accepting loan applications. “In the face of disaster when people are losing their livelihoods, it is perfectly normal to rush a solution to help those in need,” Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, said in an email to Threatpost. “The real lesson to learn is the necessity to have a culture of solid processes one can rely on when things get hectic and not make basic security mistakes.”