On April 21, the Small Business Administration (SBA) revealed that around 8,000 small business loan applicants had their potentially sensitive information exposed in a data leak affecting the website being used to host the online application. The affected site was the service collecting applications for the Economic Injury Disaster Loans (EIDL) program, meaning that any applicant who submitted information prior to March 25, 2020, could have been affected.
From what’s been announced publicly, it doesn’t sound like there were bad actors at play, but rather this was likely a configuration error that permitted some applicants to view the information submitted by other businesses that had previously submitted an application. This means that there’s somewhat less of a risk that the data would be misused. In other words, the business owner applicants are slightly less likely than the average cybercriminal to attempt to misuse any data that they could have obtained. But, if the information was available to public users, then it’s possible it was open to cybercriminals as well through other channels. Also, with tax-filing deadlines extended this year, there is a longer window for a fraudster to take advantage of the compromise.