Tech

Bank of America blames PPP applications leak on faulty SBA test server

BofA says SBA test platform allowed others to view details for its customers' PPP loan applications.

Written by Catalin Cimpanu, Contributor May 20, 2020 at 10:11 a.m. PT

Image: Erol Ahmed, Bank of America, ZDNet

See als

10 dangerous app vulnerabilities to watch out for (free PDF)

Bank of America disclosed this week a security incident that impacted its online platform for processing loan requests filed by US companies for the Paycheck Protection Program (PPP), a COVID-19 relief fund set up by the US government.

The bank says that information for some companies who applied for loans last month might have been viewed by other lenders (banks) or organizations.

Information that might have been viewed by others includes business address, contact info, and tax identification number (TIN), but also details about the business owner, such as name, address, Social Security Number, phone number, email address, and citizenship.

Bank of America blames incident on SBA test server

The bank blamed the entire incident on a test platform managed by the US Small Business Administration (SBA), the government agency responsible for processing and approving PPP loan applications filed by the bank in the name of its customers.

"This platform was designed to allow authorized lenders [such as Bank of America] to test the process for submitting PPP applications to the SBA prior to the actual submission process," the bank said this week.

Bank of America (BofA) said that PPP loan applications submitted on this test server were visible to other parties with access to the test platform.

BofA said this happened on April 22, and they contacted the SBA to remove its customers' data from the test platform on the same day.

However, there might be more to this than meets the eye. At the start of April, ZDNet received a tip from one of our readers about issues with the BofA backend for processing PPP loans.

BofA customers who submitted a PPP loan application reported instances where they viewed another customer's details when logging in at a later date to review their application status.

It is unclear if this incident is related to the "SBA test platform" issue Bank of America has disclosed this week, or a different issue altogether. A Bank of America spokesperson did not return a request for comment last month.

BofA hasn't had the smoothest experience with the SBA's PPP COVID-19 relief fund efforts. The bank has been criticized for its confusing design (user experience, UX) for the PPP application process, and has been sued in California for prioritizing PPP loan applications from large corporations over those submitted by smaller businesses.