SBA says data breach affected nearly 8,000 small businesses

Register now

A glitch in the Small Business Administration's Economic Injury Disaster Loan portal has led to a breach of personal data of 7,913 small-business business owners.

The agency has been informing applicants for its EIDL program by paper mail that it discovered the data breach on March 25. It said in its letter that it disabled the website, took steps to prevent the breach from happening again and is offering identity theft protection services to victims through ID Experts.

Breached information may have included names, Social Security numbers, addresses, birth dates, emails, marital status, citizenship status, household size, disclosure inquiry, financial and insurance information, the SBA said in its letter.

The breach appears to have been caused by a misconfigured web cache that allowed small-business applicants using the portal who hit the back button to see another business owner’s loan application information. The SBA said there is no evidence the exposed data has been misused.

The SBA did not respond to a request for comment by deadline.

The SBA’s Economic Injury Disaster Loan program, which normally provides grants to businesses affected by natural disasters, recently was expanded by Congress to include those affected by the coronavirus pandemic. Small businesses that have applied to the Paycheck Protection Program are not affected.

For reprint and licensing requests for this article, click here.
Cyber security Data security SBA