Almost 8,000 business owners who applied for a loan from the Small Business Administration may have had their personal information exposed to other applicants, the SBA admitted on Tuesday.
The breach relates to a long-standing SBA program called Economic Injury Disaster Loans (EIDL). It has traditionally been used to aid owners whose businesses are disrupted by hurricanes, tornadoes, or other disasters. It was recently expanded by Congress in the $2.2 trillion CARES Act. In addition to loans, the law authorized grants of up to $10,000 that don’t need to be paid back.
The EIDL program is separate from the larger Paycheck Protection Program that was also part of the CARES Act. The SBA says that PPP applicants were not affected by the breach.
A Trump administration official described the problem to CNBC:
The official said that in order to access other business owners’ information, small business applicants must have been in the loan application portal. If the user attempted to hit the page back button, he or she may have seen information that belonged to another business owner, not their own.
The SBA says it discovered the flaw on March 25 and notified affected users. One victim posted a copy last Friday of a paper letter she received about the breach. The letter stated that personally identifiable information—including Social Security numbers, addresses, dates of birth, and financial data—may have been exposed. The letter said that, as of last week, there was no sign yet of the data being misused.
The SBA says that it immediately disabled the portion of its website that was exposing applicant data, fixed the problem, and re-launched the website. Affected businesses have been offered a year of free credit monitoring.
The SBA has struggled to deal with demand for EIDL loans. Before the coronavirus crisis, small businesses were supposed to be eligible for up to $2 million in disaster loans.
But with millions of firms seeking assistance, the SBA was forced to limit the loans to as little as $10,000. Despite the limits, the SBA website currently states that it is not accepting new applications due to a lack of funds.
As of April 19, SBA had approved almost 27,000 EIDL loans valued at $5.6 billion. Another 755,000 businesses received EIDL grants worth a total of $3.3 billion. The Trump administration official told CNBC that 4 million business owners had applied for assistance worth $383 billion—far more than the $17 billion allocated for the program.
The PPP has also seen overwhelming demand, with funding running out in a matter of days. A legislative compromise announced on Tuesday could replenish both programs, with the PPP getting another $320 billion and the EIDL getting $60 billion.