CNN reported that about 8,000 applicants for federal disaster loans may have had their personal information exposed to others using the loan application site, the Small Business Administration said Tuesday.
SBA website leaks personal data of 8,000 small-business loan applicants https://t.co/Fy9BIMBXz0 pic.twitter.com/Gox4rxZklE
— Fortune Tech (@FortuneTech) April 21, 2020
Systems like the EIDL application portal that have to be rushed to production are more likely to contain security issues like this.
Software is developed by humans and they make mistakes. If they have more time to test before the software goes live, they have a better chance of avoiding issues with the functionality or security of an application.
This is essentially a repeat of what we saw with the Iowa caucus app which was built very quickly and not tested well enough before it being launched to execute a vital election process.
Although this breach could have been very serious had it fallen into the wrong hands, at this time, it seems no malicious parties accessed the data. We still need to know more details, but if the breach occurred nearly a month ago, then it would have probably surfaced by now had it been stolen. Small businesses should hope for the best but prepare for the worst. That includes identity theft and phishing.
Organisations with robust security programs will benefit from security awareness training programs for all employees, including developers of software applications and websites. Within the security program, education must be provided to employees to allow them to make the appropriate security decisions to support and protect the organisation. Organisations must have a reliable Software Development Lifecycle program, where it can effectively develop and review code and also assess it for any vulnerabilities during testing.
While it is essential to have an operational system available for the application process, information mustn\’t be made available to criminals who may try to gain access. Organisations that rush to get a product out the door only to discover a vulnerability afterwards demonstrates a misstep in the SDLC. Additionally, it indicates that cybersecurity is most likely bolted on and not baked into the process.
The small organisations that were impacted by the data leak want to be vigilant and have credit monitoring on their accounts and social security numbers. It\’s helpful to be proactive about protecting their identities and financial accounts versus getting monitoring from another company.
It’s clear that prioritizing services to save vulnerable small businesses in a pandemic is a priority, but this exposure begs more questions about application data handling risk. Have best practices like data-centric security been traded-off to launch quickly, leading to further exposure and attack down the line? The last thing these businesses need is their identity data abuse cascading to deeper economic injury risk.
Attackers are smart, following the money, and the path of least resistance. Affected businesses really need to be watchful for social engineering attacks which follow identity exposures leading to more sinister IT compromises and financial theft.
Initial disclosures of these kinds of breaches are often filled with qualifiers like “may” and “might have included.” It’s difficult for an affected party to really understand what the impact will be.
Government developed and deployed systems are subject to the same risks, and perhaps more, than commercial enterprises. While any breach is unfortunate, it’s especially painful when the government exposes the personal data of citizens.
There is likely plenty of blame to go around for an incident like this, but the focus should be on how trust can be restored and affected victims can be protected.