Last month the Small Business Administration reported nearly 8,000 businesses had their personal information exposed on its website during the surge of applications for economic injury disaster loans (EIDL). A representative confirmed the breach to Business Insider.
In the wake of COVID-19 pandemic, small-business owners have applied en-mass for disaster loans that are a part of March’s relief package passed by the U.S. Congress. Businesses from all 50 states are eligible to apply for $10,000 loan advances.
The cause of the exposure was a bug which mistakenly showed applicants’ personal information including addresses, Social Security numbers, emails, phone numbers, marital and citizenship status, birth dates, household size, income, and tax identification numbers. Applicants reported the bug to CBS News when they noticed other businesses’ information filled in on the registration page. In addition to economic stress, thousands of applicants are at risk of identity fraud.
An SBA official said that in order to see other applicants’ information, users must have been in the loan application portal and attempted to hit the back page button. Users could then see other small businesses’ information in the process.
The SBA relaunched the portal—the website has been plagued with maintenance issues since the program launch—and offered those affected free credit monitoring for one year. Applicants for Paycheck Protection Program (PPP) loans were not affected and no problems have been reported so far.
Thomas McCracken of the National Small Business Association has expressed the stress of the situation and how such malfunctions affect business owners’ faith in the system. “They’ve got to know not only that assistance is coming, but they can count on those sources,” he said to CBS News. While the SBA claims the site is fully functioning, the exposure leaves financially-struggling applicants with more unease.
The SBA has reported to CNBC that there have been no signs of information misuse or fraud as of April 13th.
