Small business owners applying for COVID-19 relief may have had PII exposed, agency says
As the federal agency overseeing relief to small businesses during the coronavirus pandemic was preparing to ramp up its lending, some of the Small Business Administration’s loan applicants may have had their personally identifiable information exposed to others, an agency spokeswoman tells CyberScoop.
“Personal identifiable information of a limited number of Economic Injury Disaster Loan applicants was potentially exposed to other applicants on [the Small Business Administration’s] loan application site,” SBA spokeswoman Carol Wilkerson said in a statement Saturday.
“We immediately disabled the impacted portion of the website, addressed the issue, and relaunched the application portal,” the statement continued. “SBA continues to process applications submitted via email, paper, and online.”
The cause of the data exposure at SBA, and for how long it occurred, was not immediately clear. Wilkerson did not respond to questions on why the PII may have been exposed and what types of data were affected.
An industry source looking for loan relief said the website had been functioning in the days prior to March 25, when he noticed the site was down. CyberScoop confirmed the site was down on March 25. In her statement, Wilkerson said the agency quickly rectified the issue. The site is currently functioning.
Small businesses reeling from disruptions caused by COVID-19 have turned to SBA’s economic disaster loan program, which offers up to $2 million in lending per business. It is one of multiple programs the Trump administration is using to try to blunt the economic fallout from a pandemic that has already shuttered businesses across the country. A record 6.6 million Americans filed for unemployment in the week ending March 28.
An SBA official said the agency had begun notifying those who may have had their PII compromised and offering one year of free credit monitoring. The incident, the official said, was not related to SBA’s payment protection plan, an emergency program created by the recent federal stimulus package that offers each eligible business up to $10 million in lending.
An increasing number of Americans are turning to federal websites for crucial information on the coronavirus, raising the stakes for those websites’ security and privacy protections. Last month, the Department of Health and Human Services had to fix a flaw in its contracting website that was redirecting users to a data-stealing malicious domain.
Newsday was first to report on the data exposure incident at SBA.