SBA Data Breach Exposes Small Business Disaster Loan Applicants

A recent Small Business Administration (SBA) data breach exposed sensitive information from an estimated 8,000 businesses that had applied for a loan. Those affected are businesses that applied or received Economic Injury Disaster Loans (EIDL).

While EIDL was expanded by the CARES Act, it is separate from the larger Paycheck Protection Program (PPP) that recently passed to help small businesses over the coronavirus pandemic-induced challenges.

However, security professionals are warning that small businesses remain vigilant in assessing any possible damages from the breach, regardless of their loan status with the SBA.

Tripwire’s Tim Erlin

“Initial disclosures of these kinds of breaches are often filled with qualifiers like ‘may’ and ‘might have included.’ It’s difficult for an affected party to really understand what the impact will be,” said Tim Erlin, vice president of product management and strategy at cybersecurity firm Tripwire.

MSSPs can help their small and midsized customers with damage assessments directly or by distributing DIY advice on what steps to take now.

KnowBe4’s James McQuiggan

“The small organizations that were impacted by the data leak want to be vigilant and have credit monitoring on their accounts and social security number,” said James McQuiggan, security awareness advocate at KnowBe4.

While the risks to small businesses have yet to be determined, some think they may be relatively small.

Comparitech’s Paul Bischoff

“Although this breach could have been very serious had it fallen into the wrong hands, at this time it seems no malicious parties accessed the data. We still need to know more details, but if the breach occurred nearly a month ago, then it would have probably surfaced by now had it been stolen. Small businesses should hope for the best but prepare for the worst. That includes identity theft and phishing,” said Paul Bischoff, privacy advocate with Comparitech.

The need for speed is likely behind the sloppy security surrounding SBA disaster loan programs.

comforte AG’s Mark Bower

“It’s clear that prioritizing services to save vulnerable small businesses in a pandemic is a priority, but this exposure begs more questions about application data handling risk. Have best practices like data-centric security been traded-off to launch quickly, leading to further exposure and attack down the line?” said Mark Bower, senior vice president at comforte AG.

“The last thing these businesses need is their identity data abuse cascading to deeper economic injury risk. Attackers are smart, following the money, and the path of least resistance. Affected businesses really need to be watchful for social engineering attacks which follow identity exposures leading to more sinister IT compromises and financial theft,” Bower added.

Even so, government agency breaches are growing to an appalling number and risks overall are growing too — especially when you consider these exposures collectively.

“Government developed and deployed systems are subject to the same risks, and perhaps more, than commercial enterprises. While any breach is unfortunate, it is especially painful when the government exposes the personal data of citizens,” Erlin said.

For the moment, repairing the harm takes priority over finger-pointing.

“There is likely plenty of blame to go around for an incident like this, but the focus should be on how trust can be restored, and affected victims can be protected,” Erline said.