` Data Breach Update: SBA Exposed Personal Information of Thousands of Small Business Owners Applying for the Economic Injury Disaster Loans - Clarip Privacy Blog
ENTERPRISE    |    CONSUMER PRIVACY TIPS    |    DATA BREACHES & ALERTS    |    WHITEPAPERS

Data Breach Update: SBA Exposed Personal Information of Thousands of Small Business Owners Applying for the Economic Injury Disaster Loans

Exposed Personal Information of small businesses

Millions of small business owners struggling due to the coronavirus pandemic have applied for economic relief loans authorized by the federal bailout funds.  The Economic Injury Disaster Loan (EIDL), one of the programs available to small businesses, offers up to $10,000 of advance loans administered by the Small Business Administration (SBA).   To apply for the EIDL loans, business owners must fill out an application directly on the SBA website.

On April 21, 2020, the SBA revealed that a bug in its website exposed the personal information of thousands of the EIDL applicants as early as March 25.  According to the reports, the breach occurred due to a security flaw in the online application portal when hitting the back button during the process could have displayed application data from another business.

A total of 7,913 applicants’ information could have been exposed, including social security numbers, addresses, phone numbers, dates of birth, household size, income and both financial and insurance information.  There is currently no evidence that any exposed data has been misused, but there is a risk that it might be used for social engineering attacks in the future.  The SBA is offering businesses that might have been affected by the breach one year of free credit monitoring.

Businesses should remain vigilant for cybersecurity scams related to the pandemic.  According to the IBM X-Force researchers, there has been a substantial increase in the COVID-19-related spam, including the impersonation of WHO officials, the SBA, the banks, and the charities.  The U.S. Cybersecurity and Infrastructure Security Agency (CISA) advises that businesses take the following precautions:

  • Avoid clicking on links in unsolicited emails and be wary of email attachments.
  • Use trusted sources—such as legitimate, government websites—for up-to-date, fact-based information about COVID-19.
  • Do not reveal personal or financial information in email, and do not respond to email solicitations for this information.
  • Verify a charity’s authenticity before making donations.
  • Review CISA Insights on Risk Management for COVID-19 for more information.

 

Sources:

https://www.businessinsider.com/sba-website-leaks-thousands-business-owners-personal-information-disaster-loans-2020-4

https://www.zdnet.com/article/sba-reveals-potential-data-breach-impacting-8000-emergency-business-loan-applicants/

https://www.zdnet.com/article/scammers-are-now-taking-advantage-of-us-small-business-relief-fund-in-phishing-emails/

https://www.us-cert.gov/ncas/current-activity/2020/03/06/defending-against-covid-19-cyber-scams

Contact

  • 1521, Concord Pike, Suite #301,
    Wilmington, DE 19803 USA
  • 20 Montchanin Road, Suite 20,
    Greenville, DE 19807 USA
  • Contact Online

888-252-5653

About

Consumers

Businesses

The pixel
Show Buttons
Hide Buttons