SBA Data Breach Exposes Small Business Disaster Loan Applicants
MSSPs need to guard their small business clientele from “identity data abuse cascading to deeper economic injury risk.”
April 24, 2020
![Small Business Administration_SBA Small Business Administration_SBA](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt2e70d72011af344b/6525f91c9adb9a780483ccf9/Small-Business-Administration_SBA.jpg?width=1280&auto=webp&quality=95&format=jpg&disable=upscale)
A recent Small Business Administration (SBA) data breach exposed sensitive information from an estimated 8,000 businesses that had applied for a loan. Those affected are businesses that applied or received Economic Injury Disaster Loans (EIDL).
While EIDL was expanded by the CARES Act, it is separate from the larger Paycheck Protection Program (PPP) that recently passed to help small businesses over the coronavirus pandemic-induced challenges.
However, security professionals are warning that small businesses remain vigilant in assessing any possible damages from the breach, regardless of their loan status with the SBA.
Tripwire’s Tim Erlin
“Initial disclosures of these kinds of breaches are often filled with qualifiers like ‘may’ and ‘might have included.’ It’s difficult for an affected party to really understand what the impact will be,” said Tim Erlin, vice president of product management and strategy at cybersecurity firm Tripwire.
MSSPs can help their small and midsized customers with damage assessments directly or by distributing DIY advice on what steps to take now.
KnowBe4’s James McQuiggan
“The small organizations that were impacted by the data leak want to be vigilant and have credit monitoring on their accounts and social security number,” said James McQuiggan, security awareness advocate at KnowBe4.
While the risks to small businesses have yet to be determined, some think they may be relatively small.
Comparitech’s Paul Bischoff
“Although this breach could have been very serious had it fallen into the wrong hands, at this time it seems no malicious parties accessed the data. We still need to know more details, but if the breach occurred nearly a month ago, then it would have probably surfaced by now had it been stolen. Small businesses should hope for the best but prepare for the worst. That includes identity theft and phishing,” said Paul Bischoff, privacy advocate with Comparitech.
The need for speed is likely behind the sloppy security surrounding SBA disaster loan programs.
comforte AG’s Mark Bower
“It’s clear that prioritizing services to save vulnerable small businesses in a pandemic is a priority, but this exposure begs more questions about application data handling risk. Have best practices like data-centric security been traded-off to launch quickly, leading to further exposure and attack down the line?” said Mark Bower, senior vice president at comforte AG.