Bug in federal emergency loan system may have leaked thousands of applicants' info


How many applicants may be affected.

staticnak1983/E+/Getty Images

Thousands of small business owners who recently applied for relief from the Small Business Administration's (SBA) Economic Injury Disaster Loan (EIDL) program may have had their private information exposed in a major security mishap. A Trump administration official confirmed the development to CNBC.

Without a doubt, this is distressing news for small business owners. A nationally conducted survey by WalletHub noted that 87 percent of these owners report that the coronavirus has had a hugely destructive impact on their business. A $2 trillion stimulus package containing $500 billion in loans for businesses, signed by Donald Trump, could help — but a leak like this one inspires little confidence in the agency's security infrastructure.

What was exposed — Almost 8,000 applicants may have been affected. CNBC reported that if a small business owner wanted to apply for a loan, they had to provide their personal information on the portal. If they hit the page back button, they may have accessed information belonging to another business owner. This type of data leak was previously seen on Steam as well.

Exposed information included extremely personal details like people's Social Security Numbers, their personal home addresses, their marital and citizenship statuses, their annual income, information about their insurance and tax, and much more. So far, according to SBA, there have been no reports of identity theft, fraud, or similar schemes from affected applicants.

Here's the timeline — The SBA told CNBC that the issue was spotted on March 25 and affected individuals were immediately notified. As a remedy, the SBA told CNBC that it would offer affected accounts a year of credit monitoring at no cost to them, and noted that it also disabled the compromised segment of the website. Those affected will also get identity theft protection services as an offer.

It's worth noting here that the EIDL is a separate entity and should not be confused with the Paycheck Protection Program. So far, SBA reports that 755,476 EIDL emergency grants have been approved under COVID-19, with expectations for even more applications. During these tense times, it is natural for loan programs to see an overwhelming demand for help — as they've witnessed similar heightened calls for relief during natural disasters like hurricanes and tornadoes. But these federal agencies have to do better at providing sound technical solutions that don't cost struggling people their basic privacy. It's the least they can do.