MIX UP –
Form requires sensitive data, including driver’s license and voided check scan.
Dan Goodin – Apr , 3: 49 PM UTC
The first page he saw displayed the name, email address, and business phone number of the person. When Warren clicked to the next page, he saw the last four digits of the woman’s social security number and her business address. Knowing that the application required an amount of other sensitive information — including disclosure of any criminal history, average monthly salary, a driver’s license scan, a scan of a voided check, a proof of payroll form, and, optionally, the most recent tax return —Warren stopped there.
“If I had kept clicking on, who knows what I would have seen,” said Warren, who lives in Tucson , Arizona. “I felt weird about it, so I got out of it.”
Warren then called Kelley Jacobs, the Illinois-based woman whose information had appeared on his screen. He told her what had just happened and asked if she had seen his information. She said she hadn’t but that, like him, she had been experiencing maddening website glitches as she was trying to complete her PPP application.
The service facilitating the online loan application process was provided by Lendio , a company that matches borrowers with lenders around the US. The financial institution in this case was
Cross River of Fort Lee, New Jersey.
Because Lendio had been the entity that emailed both Warren and Jacobs the link to the application, both of the applicants called Lendio’s customer service department and explained what happened. On Tuesday, more than 30 hours after the mishap, a Lendio representative sent a response.
“We have confirmed there are no glitches or data breaches on Lendio’s site,” the representative wrote. “We do not believe that your data was shared on Lendio’s end.”
The email went on to offer Jacobs a year’s worth of credit monitoring at no cost. It also directed her to resubmit her application and this time use a different lender.
In a statement, Cross River officials wrote:
Lendio representatives did not respond to an email seeking comment for this post.
Twitter messages mentioning Lendio
indicates that the service has been racked by a series of performance problems over the past few days that are preventing many people from submitting loan applications. It’s likely that Cross River is experiencing the same crippling strain.
This is likely the result of Tuesday’s resumption by the US Small Business Administration in accepting loan applications under the PPP. The program has attracted a torrent of people applying for loans after suffering business shutdowns caused by the coronavirus pandemic. That said, there’s a difference between a site falling over and one that presents one user’s sensitive data to a complete stranger who also happens to be using the same site.
There’s not much people can do to protect themselves in the latter situation. Stronger passwords and other good security hygiene won’t save you. Website security scanning tools like this one or this one Don’t hurt, but in this case, they found the loan application URL to be low risk. And given social distancing, people seeking loans amid an unprecedented economic crisis have little alternative but to apply online. About the only refuge one can take is to monitor credit reports frequently and whenever feasible, place a credit freeze with all four major credit reporting agencies.
GIPHY App Key not set. Please check settings