Expert Insight On News: SBA Website Leaks Personal Data Of 8,000 Small-Business Loan Applicants

By   ISBuzz Team
Writer , Information Security Buzz | Apr 22, 2020 06:23 am PST

CNN reported that about 8,000 applicants for federal disaster loans may have had their personal information exposed to others using the loan application site, the Small Business Administration said Tuesday.

Notify of
6 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Chris Rothe
Chris Rothe , Co-founder and Chief Product Officer
April 23, 2020 4:27 pm

Systems like the EIDL application portal that have to be rushed to production are more likely to contain security issues like this.

Software is developed by humans and they make mistakes. If they have more time to test before the software goes live, they have a better chance of avoiding issues with the functionality or security of an application.

This is essentially a repeat of what we saw with the Iowa caucus app which was built very quickly and not tested well enough before it being launched to execute a vital election process.

Last edited 3 years ago by Chris Rothe
Paul Bischoff
Paul Bischoff , Privacy Advocate
April 22, 2020 2:44 pm

Although this breach could have been very serious had it fallen into the wrong hands, at this time, it seems no malicious parties accessed the data. We still need to know more details, but if the breach occurred nearly a month ago, then it would have probably surfaced by now had it been stolen. Small businesses should hope for the best but prepare for the worst. That includes identity theft and phishing.

Last edited 3 years ago by Paul Bischoff
James McQuiggan
James McQuiggan , Security Awareness Advocate
April 22, 2020 2:41 pm

Organisations with robust security programs will benefit from security awareness training programs for all employees, including developers of software applications and websites. Within the security program, education must be provided to employees to allow them to make the appropriate security decisions to support and protect the organisation. Organisations must have a reliable Software Development Lifecycle program, where it can effectively develop and review code and also assess it for any vulnerabilities during testing.

While it is essential to have an operational system available for the application process, information mustn\’t be made available to criminals who may try to gain access. Organisations that rush to get a product out the door only to discover a vulnerability afterwards demonstrates a misstep in the SDLC. Additionally, it indicates that cybersecurity is most likely bolted on and not baked into the process.

The small organisations that were impacted by the data leak want to be vigilant and have credit monitoring on their accounts and social security numbers. It\’s helpful to be proactive about protecting their identities and financial accounts versus getting monitoring from another company.

Last edited 3 years ago by James McQuiggan
Mark Bower
Mark Bower , Senior Vice President
April 22, 2020 2:30 pm

It’s clear that prioritizing services to save vulnerable small businesses in a pandemic is a priority, but this exposure begs more questions about application data handling risk. Have best practices like data-centric security been traded-off to launch quickly, leading to further exposure and attack down the line? The last thing these businesses need is their identity data abuse cascading to deeper economic injury risk.

Attackers are smart, following the money, and the path of least resistance. Affected businesses really need to be watchful for social engineering attacks which follow identity exposures leading to more sinister IT compromises and financial theft.

Last edited 3 years ago by Mark Bower
Tim Erlin
Tim Erlin , VP of Product Management and Strategy
April 22, 2020 2:28 pm

Initial disclosures of these kinds of breaches are often filled with qualifiers like “may” and “might have included.” It’s difficult for an affected party to really understand what the impact will be.

Government developed and deployed systems are subject to the same risks, and perhaps more, than commercial enterprises. While any breach is unfortunate, it’s especially painful when the government exposes the personal data of citizens.

There is likely plenty of blame to go around for an incident like this, but the focus should be on how trust can be restored and affected victims can be protected.

Last edited 3 years ago by Tim Erlin

Recent Posts

Would love your thoughts, please comment.x