When you’re a small business, you hope for exposure. But recently, we learned that the Small Business Association (SBA) was the victim of an incident that exposed user data in a less than positive way. This occurred at the end of March, about two weeks into the official COVID-19 crisis for the United States, and at the beginning of the relief efforts that were being established.
The exposure was on the SBA’s online portal where nearly 8,000 applicants provided personal information in the process of seeking emergency loans. This data may have included personal identifying information such as Social Security numbers, income data, names, addresses, and other contact information. According to officials, applicants in the loan portal who used the page’s back button and were able to see the information that was related to another business owner. As of yet, there has not been a report of misuse of this available data and the portal was immediately disabled upon discovery of the flaw.
The SBA provided those affected with a letter that indicated that the discovery was made on March 25th pertaining to the applicants of the Economic Injury Disaster Loan program. This long-standing program has been used in the past to aid small business owners who have disruptions from natural disasters such as tornadoes and hurricanes. Recently, the CARES Act that was enacted to provide $2.2 trillion in aid, added the authorization of grants of up to $10,000 that will not be required to be paid back. This program is not the same as the Paycheck Protection Program that was also included in the CARES Act, and the applicants for that program were not affected.
Remember to Stay Vigilant
While the SBA has offered users one year of credit monitoring, this throws yet another punch to the already struggling small business climate. If you have applied for this program, please ensure that you are alerted to any and all possible changes or misuse of your personal information. As we know from prior situations, this exposure may not result in an immediate breach of your data but can reveal itself much further down the line in time.