Almost 8,000 could be affected by federal emergency loan data breach, Ars Technica

SNAFU –

Pressing the back button could expose another applicant’s private information.

am UTC

/ Small Business Administrator Jovita Carranza is flanked by Donald Trump and Secretary of Treasury Steve Mnuchin on April 2, 2020.

Almost 8, business owners who applied for a loan from the Small Business Administration may have had their personal information exposed to other applicants, the SBA admitted on Tuesday.

The breach relates to a long-standing SBA program called Economic Injury Disaster Loans (EIDL). It has traditionally been used to aid owners whose businesses are disrupted by hurricanes, tornadoes, or other disasters. It was recently expanded by Congress in the $ 2.2 trillion CARES Act. In addition to loans, the law authorized grants of up to $ , that don’t need to be paid back.

The EIDL program is separate from the larger Paycheck Protection Program that was also part of the CARES Act. The SBA says that PPP applicants were not affected by the breach.

A Trump administration official described the problem to CNBC:

The official said that in order to access other business owners’ information, small business applicants must have been in the loan application portal. If the user attempted to hit the page back button, he or she may have seen information that belonged to another business owner, not their own.

The SBA says it discovered the flaw on March

and notified affected users . One victim

posted a copy last Friday of a paper letter she received about the breach. The letter stated that personally identifiable information — including social security numbers, addresses, dates of birth, and financial data — may have been exposed. The letter said that, as of last week, there was no sign yet of the data being misused.

The SBA says that it immediately disabled the portion of its website that was exposing applicant data, fixed the problem, and re-launched the website. Affected businesses have been offered a year of free credit monitoring.

Overwhelming demand

The SBA has struggled to deal with demand for EIDL loans. Before the coronavirus crisis, small businesses were supposed to be eligible for up to $ 2 million in disaster loans.

But with millions of firms seeking assistance, the SBA was forced to limit the loans to as little as $ , . Despite the limits, the SBA website currently

states

that it is not accepting new applications due to a lack of funds.

As of April SBA had

approved almost 46, EIDL loans valued at $ 5.6 billion. Another 823, 01 businesses received EIDL grants worth a total of $ 3.3 billion. The Trump administration official told CNBC that that 4 million business owners had applied for assistance worth $ billion — far more than the $ (billion allocated for the program.)

The PPP has also seen overwhelming demand, with funding running out in a matter of days. A legislative compromise announced on Tuesday could replenish both programs, with the PPP getting another $ billion and the EIDL getting $ (billion.) (Read More)