The Small Business Administration (SBA) Economic Injury Disaster Loan (EIDL) program suffered a data breach of nearly 8,000 small-business owners, disclosing many owner’s social security numbers. The federal government acted to provide relief to small businesses under the CARES Act in response to the Coronavirus crisis. While the $349 billion Payment Protection Program got most of the attention, the CARES Act also provided additional funding to the existing SBA EIDL program. To streamline the application process, the government created an online portal so businesses could apply directly on the SBA website. Now, we have learned that an error in their online portal led to an EIDL data breach of 7,913 small-business business owner’s information, including social security numbers.
SBA Data Breach
The SBA has sent written notices to applicants applicants that it discovered an data breach involving the EIDL program on March 25, affecting some of the earliest applicants to the program. The SBA has since revised the entire EIDL portal, fixing the issue and increasing security to prevent a occurrence. The breach appears to have been caused by a misconfigured web cache that unintentionally allowed applicants who hit the back button to see another business owner’s loan application information. The SBA said there is no evidence the exposed data has been misused.
Given the nature of information required to apply for an EIDL, the data breach potentially exposed very sensitive business owner’s information. This includes business owner’s names, Social Security numbers, addresses, birth dates, emails, marital status, citizenship status, household size, disclosure inquiry, financial and insurance information. The SBA is offering identity theft protection services to victims through ID Experts.
News of the breach was not well received by politicians, with Nebraska Senator Ben Sasse stating:
“Americans are fighting to keep their businesses alive and the last thing they should have to worry about is whether or not their federal government is competent enough to protect their personal information. We absolutely know that databases of social security numbers, addresses, and birth dates are ripe targets. Washington has got to get it together.”
It is unclear how this could effect the proposed COVID-19 Consumer Data Protection Act.