Expert Insight On News: SBA Website Leaks Personal Data Of 8,000 Small-Business Loan Applicants

CNN reported that about 8,000 applicants for federal disaster loans may have had their personal information exposed to others using the loan application site, the Small Business Administration said Tuesday.

Experts Comments

April 22, 2020
Paul Bischoff
Privacy Advocate
Comparitech
Although this breach could have been very serious had it fallen into the wrong hands, at this time, it seems no malicious parties accessed the data. We still need to know more details, but if the breach occurred nearly a month ago, then it would have probably surfaced by now had it been stolen. Small businesses should hope for the best but prepare for the worst. That includes identity theft and phishing.
April 22, 2020
James McQuiggan
Security Awareness Advocate
KnowBe4
Organisations with robust security programs will benefit from security awareness training programs for all employees, including developers of software applications and websites. Within the security program, education must be provided to employees to allow them to make the appropriate security decisions to support and protect the organisation. Organisations must have a reliable Software Development Lifecycle program, where it can effectively develop and review code and also assess it for any.....Read More
Organisations with robust security programs will benefit from security awareness training programs for all employees, including developers of software applications and websites. Within the security program, education must be provided to employees to allow them to make the appropriate security decisions to support and protect the organisation. Organisations must have a reliable Software Development Lifecycle program, where it can effectively develop and review code and also assess it for any vulnerabilities during testing. While it is essential to have an operational system available for the application process, information mustn't be made available to criminals who may try to gain access. Organisations that rush to get a product out the door only to discover a vulnerability afterwards demonstrates a misstep in the SDLC. Additionally, it indicates that cybersecurity is most likely bolted on and not baked into the process. The small organisations that were impacted by the data leak want to be vigilant and have credit monitoring on their accounts and social security numbers. It's helpful to be proactive about protecting their identities and financial accounts versus getting monitoring from another company.  Read Less
April 22, 2020
Mark Bower
Senior Vice President
comforte AG
It’s clear that prioritizing services to save vulnerable small businesses in a pandemic is a priority, but this exposure begs more questions about application data handling risk. Have best practices like data-centric security been traded-off to launch quickly, leading to further exposure and attack down the line? The last thing these businesses need is their identity data abuse cascading to deeper economic injury risk. Attackers are smart, following the money, and the path of least.....Read More
It’s clear that prioritizing services to save vulnerable small businesses in a pandemic is a priority, but this exposure begs more questions about application data handling risk. Have best practices like data-centric security been traded-off to launch quickly, leading to further exposure and attack down the line? The last thing these businesses need is their identity data abuse cascading to deeper economic injury risk. Attackers are smart, following the money, and the path of least resistance. Affected businesses really need to be watchful for social engineering attacks which follow identity exposures leading to more sinister IT compromises and financial theft.  Read Less
April 22, 2020
Tim Erlin
VP of Product Management and Strategy
Tripwire
Initial disclosures of these kinds of breaches are often filled with qualifiers like “may” and “might have included.” It’s difficult for an affected party to really understand what the impact will be. Government developed and deployed systems are subject to the same risks, and perhaps more, than commercial enterprises. While any breach is unfortunate, it’s especially painful when the government exposes the personal data of citizens. There is likely plenty of blame to go around.....Read More
Initial disclosures of these kinds of breaches are often filled with qualifiers like “may” and “might have included.” It’s difficult for an affected party to really understand what the impact will be. Government developed and deployed systems are subject to the same risks, and perhaps more, than commercial enterprises. While any breach is unfortunate, it’s especially painful when the government exposes the personal data of citizens. There is likely plenty of blame to go around for an incident like this, but the focus should be on how trust can be restored and affected victims can be protected.  Read Less
April 22, 2020
Corin Imai
Senior Security Advisor
DomainTools
Although contained in size, this data breach is unfortunate both because of the sensitivity of the information exposed and because of the nature of the institution involved. Information is still too limited to assess the potential impact of the incident, but despite no signs of the data being used for malicious purposes, it is still important for all the affected parties to watch out for socially engineered attacks such as spear phishing and BEC compromise. The SBA, on its part, will have to.....Read More
Although contained in size, this data breach is unfortunate both because of the sensitivity of the information exposed and because of the nature of the institution involved. Information is still too limited to assess the potential impact of the incident, but despite no signs of the data being used for malicious purposes, it is still important for all the affected parties to watch out for socially engineered attacks such as spear phishing and BEC compromise. The SBA, on its part, will have to take all the necessary steps to restore the trust of the businesses it exists to support.  Read Less
April 23, 2020
Chris Rothe
Co-founder and Chief Product Officer
Red Canary
Systems like the EIDL application portal that have to be rushed to production are more likely to contain security issues like this. Software is developed by humans and they make mistakes. If they have more time to test before the software goes live, they have a better chance of avoiding issues with the functionality or security of an application. This is essentially a repeat of what we saw with the Iowa caucus app which was built very quickly and not tested well enough before it being.....Read More
Systems like the EIDL application portal that have to be rushed to production are more likely to contain security issues like this. Software is developed by humans and they make mistakes. If they have more time to test before the software goes live, they have a better chance of avoiding issues with the functionality or security of an application. This is essentially a repeat of what we saw with the Iowa caucus app which was built very quickly and not tested well enough before it being launched to execute a vital election process.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.