The administration of the Paycheck Protection Program (PPP) continues to face media scrutiny since its launch on April 3rd. Lawsuits filed against Bank of America on April 19th allege that BofA gave priority to high dollar loans with the accusation that BofA was after the larger origination fees. Now, Bank of America is making headlines again with the recent announcement of a security incident on affecting an undisclosed number of PPP loan applicants on April 22nd.
BofA recently filed a confirmation notice with the California Attorney General’s Office—which also went out to those affected by the incident—that read in part, “We are writing to advise you that in preparation for submission of loan applications to the SBA, Bank of America (the Bank) uploaded some clients’ loan applications to a limited access, controlled SBA test application platform. This platform was designed to allow authorized lenders to test the process for submitting PPP applications to the SBA prior to the actual submission process.
During testing, we discovered information included in your application may have been visible for a limited time period to a limited number of other lenders and their vendors authorized by the SBA to participate in the program.”
See Related: Reducing Threat Impact With CIS Controls
The Small Business Administration (SBA) test platform was found to share application data with other SBA-authorized lenders and their vendors through an apparent glitch in the system. BofA discovered this security issue quickly, asked the SBA to remove the affected information, and an investigation is ongoing. While BofA includes assurances in its statement that the data has not been used for malicious acts, it also admits that exposed data included names, addresses, Social Security Numbers, phone numbers, email addresses and citizenship status. The number of those affected is undisclosed.
Bank of America is offering two years of free identify theft protection by Experian IdentityWorks.
Notably, around the same time, almost 8,000 of the businesses that applied for the Economic Injury Disaster Loan program (EIDL) also had data exposed to other applicants. Business owners were reporting their online EIDL registration was already populated with other business information. The SBA statement reads that upon detection, they “immediately disabled the impacted portion of the website, addressed the issue, and relaunched the application portal.”
The SBA is a government agency that offers support to entrepreneurs and small businesses. However, it is notoriously understaffed and underfunded. An audit in 2015 found that the SBA had 35 ongoing and unaddressed audit issues relating to long-standing security weaknesses.
See Related: Security And Privacy Considerations During COVID-19
During the COVID-19 pandemic, the SBA is under even greater pressure to quickly design and roll out new programs for fund relief. It is worrisome that speed has been prioritized over security, setting the SBA up for future breaches and security incidents.
Additionally, SBA is under scrutiny for the way it handled the April 22nd glitch. Those affected were emailed a vague form letter notifying applicants of the breach and offering a year of free credit monitoring. These ambiguous emails are troublesome particularly because phishing scams impersonating US financial institutions—SBA included—are up 6,000%, according to IBM X-Force.
Cyber Security Hub recently wrapped up its 2020 Cyber Security Digital Summit, which featured advice from the experts on how to improve cyber security best practices and reduce threat impact. A common theme of the summit was the importance of creating and financing strong enterprise cyber security strategies before breaches occur. Communicating the importance of this sector of an enterprise is often where agencies face stumbling blocks.
In the meantime, small businesses can protect themselves by encrypting their data while browsing the web; installing antivirus and antispyware software; and banking safely online, which includes avoiding public Wi-Fi and updating passwords regularly. If a breach does occur, credit monitoring is imperative.