Small business owners applying for COVID-19 relief may have had PII exposed, agency says

The Small Business Administration has started to notify business owners who may have had their data exposed.
sba data exposure
Personally identifiable information of a limited number of Economic Injury Disaster Loan applicants was potentially exposed, according to the Small Business Administration. (Getty Images)

As the federal agency overseeing relief to small businesses during the coronavirus pandemic was preparing to ramp up its lending, some of the Small Business Administration’s loan applicants may have had their personally identifiable information exposed to others, an agency spokeswoman tells CyberScoop.

“Personal identifiable information of a limited number of Economic Injury Disaster Loan applicants was potentially exposed to other applicants on [the Small Business Administration’s] loan application site,” SBA spokeswoman Carol Wilkerson said in a statement Saturday.

“We immediately disabled the impacted portion of the website, addressed the issue, and relaunched the application portal,” the statement continued. “SBA continues to process applications submitted via email, paper, and online.”

The cause of the data exposure at SBA, and for how long it occurred, was not immediately clear. Wilkerson did not respond to questions on why the PII may have been exposed and what types of data were affected.


An industry source looking for loan relief said the website had been functioning in the days prior to March 25, when he noticed the site was down. CyberScoop confirmed the site was down on March 25. In her statement, Wilkerson said the agency quickly rectified the issue. The site is currently functioning.

Small businesses reeling from disruptions caused by COVID-19 have turned to SBA’s economic disaster loan program, which offers up to $2 million in lending per business. It is one of multiple programs the Trump administration is using to try to blunt the economic fallout from a pandemic that has already shuttered businesses across the country. A record 6.6 million Americans filed for unemployment in the week ending March 28.

An SBA official said the agency had begun notifying those who may have had their PII compromised and offering one year of free credit monitoring. The incident, the official said, was not related to SBA’s payment protection plan, an emergency program created by the recent federal stimulus package that offers each eligible business up to $10 million in lending.

An increasing number of Americans are turning to federal websites for crucial information on the coronavirus, raising the stakes for those websites’ security and privacy protections.  Last month, the Department of Health and Human Services had to fix a flaw in its contracting website that was redirecting users to a data-stealing malicious domain.

Newsday was first to report on the data exposure incident at SBA.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts