SBA Loan Application Data Breach: What You Can Do

On April 21, the Small Business Administration (SBA) revealed that around 8,000 small business loan applicants had their potentially sensitive information exposed in a data leak affecting the website being used to host the online application. The affected site was the service collecting applications for the Economic Injury Disaster Loans (EIDL) program, meaning that any applicant who submitted information prior to March 25, 2020, could have been affected.

What We Know

From what’s been announced publicly, it doesn’t sound like there were bad actors at play, but rather this was likely a configuration error that permitted some applicants to view the information submitted by other businesses that had previously submitted an application. This means that there’s somewhat less of a risk that the data would be misused. In other words, the business owner applicants are slightly less likely than the average cybercriminal to attempt to misuse any data that they could have obtained. But, if the information was available to public users, then it’s possible it was open to cybercriminals as well through other channels. Also, with tax-filing deadlines extended this year, there is a longer window for a fraudster to take advantage of the compromise.

A few types of information are likely of concern here, the first of which is individual taxpayer information. Many eligible companies are sole proprietorships or pass-through LLCs, many using their social security numbers as their taxpayer identification number. Further, every applicant had to provide a social security number to even begin the application (see the main EIDL application page).

What can you do? Here are a few steps to minimize your exposure.

Compare dates to determine if your information could have been available via the compromised site prior to March 26, 2020 (the date the SBA discovered the leak; they immediately took down the site to resolve the issue).
Take a few steps to protect yourself from tax fraud. Even a name and an individual social security number together can lead to tax fraud.
- One of the main types of misuse of social security number data involves filing a fraudulent return to get the 2019 tax refund. Colorado taxpayers and residents of many other states are eligible for an IP PIN from the IRS to prevent any fraudulent filings.
The IP PIN program isn’t eligible for everyone by default. Currently, Coloradans are eligible as of the 2020 filing season if they filed last year as CO resident. The same goes for New Yorkers and Californians.
The SBA announced it was providing ID theft protection monitoring to affected businesses, so take advantage of it. It is a valuable tool to have and also helps build good business habits
Consider placing a credit freeze on personal credit accounts, which will prevent bad actors from applying for credit in your name. You can also contact any one of the three major credit bureaus to place a fraud alert. A fraud alert on credit records is not as secure as a freeze, but a fraud alert is free.
- However, if you are concerned that placing a freeze will affect your access to capital through credit that you will need during this time, it’s best to monitor your bank statements.
Use this event as a wake-up call. Implement multi-factor authentication on all accounts when available. Check that your own business isn’t vulnerable to a similar sort of leak.

Larkin Reynolds is a technology-focused advisor, helping small and large business clients navigate complex transactions and the maze of laws relating to privacy and data security. She can be reached at larkin.reynolds@moyewhite.com or (303) 295-9808.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.