Late last week Bank of America Corporation disclosed a data breach affecting clients who have applied for the Paycheck Protection Program (PPP). Client information was exposed on April 22 when the bank uploaded PPP applicants’ details onto the US Small Business Administration’s test platform. The platform was designed to give lenders the opportunity to test the PPP submissions before the second round of applications kicked off. The breach was revealed in a filing made by Bank of America with the California Attorney General’s Office. As a result of the incident, other SBA-authorized lenders and their vendors were able to view clients’ information.
It goes to show that even the best prepared organizations can suffer breach risks in the rush to changing marketing conditions or harsh deadlines like SBA loan processing. The missing piece here that could have saved the day was using de-identified data during the test run to avoid regulated data exposure. De-identifying data can be as simple as transforming it with technologies like tokenization to a neutralized form that can still drive the application in production or test, but not expose it to risks during test or under attack. It’s a simple step to add to a developer integration and test pipeline or app test process as part of a wider embrace of a “privacy-centric culture” that has to be the norm and not the exception given the pressure of security and privacy regulations and mandates.