The SBA Was Breached

8,000 small business owners who applied for loans from the Small Business Administration potentially had their personal information exposed last month, admits the agency.

The Economic Injury Disaster Loan program (EIDL) offers up to $10,000 to owners currently struggling with their businesses due to the COVID-19 pandemic.

Who Is Affected?

The breach affects people who applied for the EIDL. Traditionally, it was used to aid owner whose businesses were impacted by tornadoes, hurricanes and other natural disasters. Congress expanded it in the $2.2 trillion CARES Act.

Notification letters were sent to 7,913 applicants possibly impacted by the breach and then the letters were posted online. The letters revealed that personal data could have been exposed to other applicants. This data included phone numbers, addresses, dates of birth, income and financial information, and social security numbers.

What’s In the Loan Program?

The Economic Injury Disaster Loan program (EIDL) offers up to $10,000 to owners currently struggling with their businesses due to the novel coronavirus pandemic.

A Trump administration official described the issue to CNBC saying that an error occurred when some owners would hit the back button on a page they would see the information of someone else’s businesses rather than their own.

How Did The SBA Find Out?

According to reports by the Washington Post, the SBA was initially silent on the duration of the breach or about details of its discovery. Businesses that may have been affected were notified by the SBA and offered one free year of credit monitoring.

The Agency said it discovered the vulnerability on March 25 and notified those affected with letters. A copy of the letter was posted by a victim after the breach. The letter itself mentioned that there is no sign of data misuse as of last week.

What’s The SBA’s Track Record?

Business owners have had issues with the disaster loan website before. The site was taken down for maintenance for several hours on March 16, and owners could not apply during that time. On March 29, the SBA revised its application process for the disaster loans and owners had to reapply. Many learned days or weeks later that they needed to reapply.

Business owners experienced issues with the loan website previously. In fact, the site was taken down for maintenance for hours on March 16. This meant owners couldn’t apply for a loan in that time. About two weeks later on March 29, the SBA updated the application process for the loans and owners were required to reapply.

How Much Money Was Allocated?

As of April 19, SBA had approved almost 27,000 EIDL loans valued at $5.6 billion. Another 755,000 businesses received EIDL grants worth a total of $3.3 billion. The Trump administration official told CNBC that 4 million business owners had applied for assistance worth $383 billion—far more than the $17 billion allocated for the program.

Even before the breach the agency website was strained by a flood of applications for the loan that overburdened funding, keeping businesses waiting for weeks to receive money.

Before the COVID-19 crisis small businesses should have been eligible for up to $2 million in disaster loans. Unfortunately, because millions of companies are now seeking assistance,  the SBA had to limit the loans to the previously mentioned $10,000

What are the Risks Now That There Was a Breach?

That being said, the SBA approved nearly 27,000 EIDL loans since April 19. However, the breach raises a problem for anyone looking to exploit personal information on the website for social engineering scams. IBM Securities published research revealing it had seen a 6000% increase in email campaigns impersonating the SMB.

For more information on cyber security, cloud, remote work and more, visit Nerds Support’s blog.