Bank Of America Admits Paycheck Protection Program Data Breach – Enterprise Security Expert Comments

Late last week Bank of America Corporation disclosed a data breach affecting clients who have applied for the Paycheck Protection Program (PPP). Client information was exposed on April 22 when the bank uploaded PPP applicants’ details onto the US Small Business Administration’s test platform. The platform was designed to give lenders the opportunity to test the PPP submissions before the second round of applications kicked off. The breach was revealed in a filing made by Bank of America with the California Attorney General’s Office. As a result of the incident, other SBA-authorized lenders and their vendors were able to view clients’ information.

Experts Comments

May 28, 2020
Mark Bower
Senior Vice President
comforte AG
It goes to show that even the best prepared organizations can suffer breach risks in the rush to changing marketing conditions or harsh deadlines like SBA loan processing. The missing piece here that could have saved the day was using de-identified data during the test run to avoid regulated data exposure. De-identifying data can be as simple as transforming it with technologies like tokenization to a neutralized form that can still drive the application in production or test, but not expose it .....Read More
It goes to show that even the best prepared organizations can suffer breach risks in the rush to changing marketing conditions or harsh deadlines like SBA loan processing. The missing piece here that could have saved the day was using de-identified data during the test run to avoid regulated data exposure. De-identifying data can be as simple as transforming it with technologies like tokenization to a neutralized form that can still drive the application in production or test, but not expose it to risks during test or under attack. It’s a simple step to add to a developer integration and test pipeline or app test process as part of a wider embrace of a “privacy-centric culture” that has to be the norm and not the exception given the pressure of security and privacy regulations and mandates.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.