SBA May Have Exposed Data on 8,000 Loan ApplicantsReports: Application Portal Flaw May Have Leaked Social Security Numbers, Other Data
Watch for updates on this developing story.
See Also: 2021: A Cybersecurity Odyssey
The U.S. Small Business Administration says a flaw in an online application portal may have exposed the personal data of approximately 8,000 loan applicants seeking help coping with the economic impact of the COVID-19 pandemic, according to the Washington Post and other media outlets.
Small business owners affected by the data leak were applying for loans through the SBA's Economic Injury Disaster Loan program, which is normally designed to help in times of natural disasters, such as hurricanes, but has been revamped in recent weeks to provide loans for small businesses affected by the COVID-19 pandemic.
The security incident involving the Economic Injury Disaster Loan program and its online application portal did not affect the much larger Paycheck Protection Program, which has also been making loans to small businesses affected by the COVID-19 pandemic, the Post reports.
The flaw in the online portal was originally discovered on March 25. An SBA spokesperson told the Washington Post that the agency "immediately disabled the impacted portion of the website, addressed the issue, and relaunched the application portal."
Before the portal was fixed, however, it appears that the personal information and data of some 8,000 small business owners may have been exposed to other applicants. The information could include Social Security numbers, addresses, dates of birth and possibly other financial data, according to the Post.
Small business owners recently started receiving letters from the SBA saying that their data may have been exposed, although it does not appear that any of this information has been misused at this point, according to copies of these letters, which have begun to appear online and on social media.
Now you get an SBA letter saying there was a data breach in the EIDL online application process and applicants' information may be used including SSN/EIN, addresses, etc. pic.twitter.com/nsnZhwRhg0— Shayna Chapman (@ShaynaCPA) April 17, 2020
In the rush to obtain cash grants or loans through the Economic Injury Disaster Loan program, small business owners needed to process their applications through an SBA online portal.
That application portal, however, contained a flaw. If an applicant hit the page back button on the online loan application, the applicant may have seen personal and financial data that belonged to a different business owner rather than their own, according to CNBC, which cited an anonymous senior administration official.
It's not clear what exactly caused this flaw, but the portal is now back online, CNBC reports. In the SBA letters posted online, the agency says it will offer free credit monitoring for one year for those affected.
While details of what happened are still emerging, Chris Pierson, CEO of cybersecurity firm BlackCloak, says that it's likely that the loan application portal was rushed into production, and that the code was not examined for flaws or checked to ensure that it met security requirements.
"These types of issues can occur easily when changes are made quickly and without proper review, testing, and security review," Pierson tells Information Security Media Group. "As always, ensuring a holistic software development life cycle process includes a security component, static testing, and dynamic testing in the quality review process are key."
Mike Weber, vice president at cybersecurity consulting firm Coalfire, agreed that the application portal may have been pushed into production to meet demand.
"This appears to be an example of a rush-to-market that forgoes security controls in favor of having a solution in the market sooner rather than later," Weber tells ISMG. "Implementing security into the development lifecycle has historically been a challenge and in today's modern DevOps. Recently developed continuous integration and continuous delivery pipelines can exacerbate the impact as well."
Both the Economic Injury Disaster Loan and Paycheck Protection Program have been overwhelmed by demand since the start of the COVID-19 pandemic, which forced many businesses to close down indefinitely to keep the disease from spreading.
The $2.2 trillion stimulus bill, known as the CARES Act, that was signed into law in March included money for both programs, which quickly ran out due to demand.
More Financial Help on the Way
On Tuesday, the U.S. Senate approved a new aid package to assist small businesses and hospitals as well as provide funding for more testing. That proposal includes $320 billion more for the Paycheck Protection Program and about $60 billion earmarked for the Economic Injury Disaster Loan program, according to the New York Times.
The House is expected to vote on the measure Thursday, and President Donald Trump has signaled that he will sign it, according to the Times.