Expert Comments

Expert Insight On News: SBA Website Leaks Personal Data Of 8,000 Small-Business Loan Applicants

Expert(s): Security Experts
Expert(s): Security Experts

CNN reported that about 8,000 applicants for federal disaster loans may have had their personal information exposed to others using the loan application site, the Small Business Administration said Tuesday.

Experts Comments

Dot Your Expert Comments
Paul Bischoff
April 22, 2020
Privacy Advocate
Comparitech

it seems no malicious parties accessed the data
Although this breach could have been very serious had it fallen into the wrong hands, at this time, it seems no malicious parties accessed the data. We still need to know more details, but if the breach occurred nearly a month ago, then it would have probably surfaced by now had it been stolen. Small businesses should hope for the best but prepare for the worst. That includes identity theft and phishing.
James McQuiggan
April 22, 2020
Security Awareness Advocate
KnowBe4

Organisations must have a reliable Software Development Lifecycle program.
Organisations with robust security programs will benefit from security awareness training programs for all employees, including developers of software applications and websites. Within the security program, education must be provided to employees to allow them to make the appropriate security decisions to support and protect the organisation. Organisations must have a reliable Software Development Lifecycle program, where it can effectively develop and review code and also assess it for any.....Read More
Organisations with robust security programs will benefit from security awareness training programs for all employees, including developers of software applications and websites. Within the security program, education must be provided to employees to allow them to make the appropriate security decisions to support and protect the organisation. Organisations must have a reliable Software Development Lifecycle program, where it can effectively develop and review code and also assess it for any vulnerabilities during testing. While it is essential to have an operational system available for the application process, information mustn't be made available to criminals who may try to gain access. Organisations that rush to get a product out the door only to discover a vulnerability afterwards demonstrates a misstep in the SDLC. Additionally, it indicates that cybersecurity is most likely bolted on and not baked into the process. The small organisations that were impacted by the data leak want to be vigilant and have credit monitoring on their accounts and social security numbers. It's helpful to be proactive about protecting their identities and financial accounts versus getting monitoring from another company.  Read Less
Mark Bower
April 22, 2020
Senior Vice President
comforte AG

Have best practices like data-centric security been traded-off to launch quickly.
It’s clear that prioritizing services to save vulnerable small businesses in a pandemic is a priority, but this exposure begs more questions about application data handling risk. Have best practices like data-centric security been traded-off to launch quickly, leading to further exposure and attack down the line? The last thing these businesses need is their identity data abuse cascading to deeper economic injury risk. Attackers are smart, following the money, and the path of least.....Read More
It’s clear that prioritizing services to save vulnerable small businesses in a pandemic is a priority, but this exposure begs more questions about application data handling risk. Have best practices like data-centric security been traded-off to launch quickly, leading to further exposure and attack down the line? The last thing these businesses need is their identity data abuse cascading to deeper economic injury risk. Attackers are smart, following the money, and the path of least resistance. Affected businesses really need to be watchful for social engineering attacks which follow identity exposures leading to more sinister IT compromises and financial theft.  Read Less
Tim Erlin
April 22, 2020
VP of Product Management and Strategy
Tripwire

It’s difficult for an affected party to really understand what the impact will be.
Initial disclosures of these kinds of breaches are often filled with qualifiers like “may” and “might have included.” It’s difficult for an affected party to really understand what the impact will be. Government developed and deployed systems are subject to the same risks, and perhaps more, than commercial enterprises. While any breach is unfortunate, it’s especially painful when the government exposes the personal data of citizens. There is likely plenty of blame to go around.....Read More
Initial disclosures of these kinds of breaches are often filled with qualifiers like “may” and “might have included.” It’s difficult for an affected party to really understand what the impact will be. Government developed and deployed systems are subject to the same risks, and perhaps more, than commercial enterprises. While any breach is unfortunate, it’s especially painful when the government exposes the personal data of citizens. There is likely plenty of blame to go around for an incident like this, but the focus should be on how trust can be restored and affected victims can be protected.  Read Less
Corin Imai
April 22, 2020
Senior Security Advisor
DomainTools

The SBA, on its part, will have to take all the necessary steps to restore the trust of the businesses it exists to support.
Although contained in size, this data breach is unfortunate both because of the sensitivity of the information exposed and because of the nature of the institution involved. Information is still too limited to assess the potential impact of the incident, but despite no signs of the data being used for malicious purposes, it is still important for all the affected parties to watch out for socially engineered attacks such as spear phishing and BEC compromise. The SBA, on its part, will have to.....Read More
Although contained in size, this data breach is unfortunate both because of the sensitivity of the information exposed and because of the nature of the institution involved. Information is still too limited to assess the potential impact of the incident, but despite no signs of the data being used for malicious purposes, it is still important for all the affected parties to watch out for socially engineered attacks such as spear phishing and BEC compromise. The SBA, on its part, will have to take all the necessary steps to restore the trust of the businesses it exists to support.  Read Less
Chris Rothe
April 23, 2020
Co-founder and Chief Product Officer
Red Canary

Chris Rothe, co-founder and chief product officer, Red Canary
Systems like the EIDL application portal that have to be rushed to production are more likely to contain security issues like this. Software is developed by humans and they make mistakes. If they have more time to test before the software goes live, they have a better chance of avoiding issues with the functionality or security of an application. This is essentially a repeat of what we saw with the Iowa caucus app which was built very quickly and not tested well enough before it being.....Read More
Systems like the EIDL application portal that have to be rushed to production are more likely to contain security issues like this. Software is developed by humans and they make mistakes. If they have more time to test before the software goes live, they have a better chance of avoiding issues with the functionality or security of an application. This is essentially a repeat of what we saw with the Iowa caucus app which was built very quickly and not tested well enough before it being launched to execute a vital election process.  Read Less

Dot Your Expert Comments


Only for registered and approved experts. Please register before providing comments. Register here
* By using this form you agree with the storage and handling of your data by this web site.
Submit
0
FacebookTwitterLinkedinWhatsappEmail

You may also like

Experts Reaction On Malaysia Airlines 9 Years Old Data Breach

IoT Security In The Spotlight, As Research Highlights Alexa Security...

Oxfam Australia Confirms ‘Supporter’ Data Accessed In Cyber Attack

Expert Reaction On Solarwinds Blames Intern For Weak Passwords

Expert Reaction On Go Is Becoming The Language Of Choice...

Experts On Google Voice Outage

Expert Reaction On GCHQ To Use AI In Cyberwarfare

Comment: Hackers Break Into ‘Biochemical Systems’ At Oxford Uni Lab...

Expert Reaction On Private Data Leaked From Far-right Platform Gab

Hackers Break Into ‘Biochemical Systems’ At Oxford Uni Lab Studying...