May 06, 2020

SBA Loan Program Suffers Data Breach

Patrick McKnight

As the COVID-19 pandemic swept across America, “non-essential” businesses were shuttered under emergency government orders. Consumers were ordered to stay at home and the economy nearly ground to a halt.

The United States Small Business Administration was suddenly thrust into the spotlight. Thousands of businesses across the nation applied for the Economic Injury Disaster Loan (“EIDL”) program. Unfortunately, it appears many of these applicants suffered a second setback due to vulnerabilities within the SBA website.

The EIDL program offers applicants up to $2 million in low-interest loans and a $10,000 advance. The program was the only source of emergency funding for many businesses prior to several rounds of Congressional legislation.

A problem with the EIDL application portal apparently resulted in a data breach involving 7,913 businesses. The SBA discovered the problem on March 25, 2020 and has been informing applicants via paper mail.

"Personal identifiable information of a limited number of Economic Injury Disaster Loan applicants was potentially exposed to other applicants on SBA's loan application site. We immediately disabled the impacted portion of the website, addressed the issue, and relaunched the application portal," the Small Business Administration said.

According to the SBA, breached information may have included names, Social Security numbers, addresses, birth dates, emails, marital status, citizenship status, household size, disclosure inquiry, financial and insurance information. Initial reports indicate the issue may have been caused by a misconfigured web cache. This glitch may have allowed small-business applicants using the portal to view another business owner’s loan application information. The SBA said it currently had no evidence the exposed data has been abused.

The SBA is offering everyone potentially impacted by the breach a free year of credit monitoring. According to the SBA, the data breach did not impact applicants to the Paycheck Protection Program.

News of the data breach was not well-received by lawmakers. US Senator for Nebraska Ben Sasse commented:

“Americans are fighting to keep their businesses alive and the last thing they should have to worry about is whether or not their federal government is competent enough to protect their personal information. We absolutely know that databases of social security numbers, addresses, and birth dates are ripe targets. Washington has got to get it together."

The SBA has also been implicated in a large wave of phishing emails. IBM X-Force researchers reported a 6,000% increase in spam emails related to the COVID-19 pandemic. Many of these attacks purported to come from the SBA with false offers of government funding.

The COVID-19 pandemic is a historic event. Not only has public health and public policy been pushed to the frontiers available resources, cybersecurity is also on the frontlines. Portals like those on the SBA website are experiencing unprecedented surges in traffic due to COVID-19. More generally, millions of employees are simultaneously working from home for the first time. Private sector cybersecurity systems are also facing new challenges during the emergency.

It remains to be seen how many other data breaches relate to COVID-19 will be reported. In the long run, the information technology problems caused by the pandemic will make networks and systems stronger. In the short term, any existing vulnerabilities will continue to be exacerbated by an extraordinary volume of traffic flowing to specific portals.

Patrick McKnight

Klehr Harrison Harvey Branzburg LLP