SBA reveals potential data breach impacting 8,000 emergency business loan applicants

A US Senator says that the White House has “got to get it together.”
Written by Charlie Osborne, Contributing Writer

The US Small Business Administration (SBA) has revealed a suspected data breach impacting the portal used by business owners to apply for emergency loans. 

On Tuesday, the US agency said the incident may affect close to 8,000 applicants to the Economic Injury Disaster Loan program (EIDL), which offers up to $10,000 to small business owners currently struggling due to the coronavirus pandemic. 

At the time of writing, new applicants are not being accepted due to "available appropriations funding."

See also: Scammers are now taking advantage of US small business relief fund in phishing emails

Previous EIDL applicants may have had their names, Social Security numbers, physical and email addresses, dates of birth, citizen status, and insurance information compromised. 

CNN reports that a letter sent to disaster loan applicants, dated April 13, explains that a breach was detected on March 25. A section of the portal was disabled while a security issue was resolved -- although no details have been made public on the nature of the issue -- before relaunch. 

The SBA said that the website "may have led to the inadvertent disclosure of personally identifiable information to other applicants."

While there is no evidence at present that applicant data has been abused, the agency is offering everyone potentially impacted a year of free credit monitoring. 

CNET: Passwords for WHO, CDC, Gates Foundation employees reportedly spread online

In response to the incident, US Senator for Nebraska Ben Sasse commented:

"Americans are fighting to keep their businesses alive and the last thing they should have to worry about is whether or not their federal government is competent enough to protect their personal information. We absolutely know that databases of social security numbers, addresses, and birth dates are ripe targets. Washington has got to get it together."

During the same week that the US agency is grappling with a potential data breach, researchers have found that the organization is also central to a huge wave of phishing emails that are fraudulently using the SBA's name. 

TechRepublic: Coronavirus: What business pros need to know

According to IBM X-Force, COVID-19 phishing emails have surged by over 6,000% over the course of approximately five weeks, and the SBA, alongside major US financial institutions, is being impersonated. The emails claim to be from SBA representatives offering small businesses relief and financial help.  

10 worst hacks and data breaches of 2019 (in pictures)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards