CARES Act: The SBA EIDL Loan Data Breach

SBA EIDL Data Breach

The federal government acted to provide relief to small businesses under the CARES Act in response to the Coronavirus crisis. While the $349 billion Payment Protection Program got most of the attention, the CARES Act also provided additional funding to the existing Small Business Administration (SBA) Economic Injury Disaster Loan (EIDL) program. To streamline the application process, the government created an online portal so businesses could apply directly on the SBA website. Now, we have learned that an error in their online portal led to a data breach of 7,913 small-business business owner’s information, including social security numbers.

The SBA has sent written notices to EIDL applicants applicants that it discovered a data breach on March 25, affecting some of the earliest applicants to the program. The SBA has since revised the entire EIDL portal, fixing the issue and increasing security to prevent a occurrence. The breach appears to have been caused by a misconfigured web cache that unintentionally allowed applicants who hit the back button to see another business owner’s loan application information. The SBA said there is no evidence the exposed data has been misused.

Given the nature of information required to apply for an EIDL, the breach potentially exposed very sensitive business owner’s information. This includes business owner’s names, Social Security numbers, addresses, birth dates, emails, marital status, citizenship status, household size, disclosure inquiry, financial and insurance information. The SBA is offering identity theft protection services to victims through ID Experts.