Bank of America Reveals a Data Breach at SBA's Paycheck Protection Program

Bank of America Reveals Data Breach at SBA's Paycheck Protection Program

The COVID-19 pandemic has set us a number of challenges, and although we're all pretty sure that we'll overcome them, some of them are presenting quite a few unexpected difficulties. Today's story, for example, will show you how the solutions we use to fight the crisis are often designed in a hurry and are sometimes flawed. It should also show you how bad the consequences of all this could be.

In order to help small businesses survive the pandemic, the US Small Business Administration set up the Paycheck Protection Program. Enterprises who take part in it can get a loan that will be fully forgiven if it's directly used to keep the workforce employed during the period of the lockdown.

The money is supposed to be loaned by banks participating in the program like Bank of America (BofA), and it is their responsibility to process applicants' information and hand it over to the agency. The SBA quickly built a brand new online platform to facilitate this, and on April 22, BofA was testing it by submitting some applications. For reasons that remain unclear, although this was supposed to be a test, the bank was using real applications full of real data. Sure enough, at one point, its security team noticed that the submitted information was also accessible to other people logged into the system.

An SBA test system exposed applicants' information

Last week, Bank of America filed a data breach notification with the State of California's Attorney General to disclose the incident. The details are few, but according to the letter, when they were submitting April 22's applications, BofA's IT professionals noticed a flaw in SBA's system, which gave other lenders access to the documents.

This was a worry because the filings contained quite a lot of information about the businesses applying for the loan and their owners. The potentially exposed data included:

  • Names
  • Emails
  • Home addresses
  • Business addresses
  • Phone numbers
  • Tax identification numbers
  • Social Security Numbers

It sounds scarier than it is

As soon as BofA noticed the potential exposure, it notified the SBA, and the data was deleted from the vulnerable system. The breach notice points out that there is no evidence of any unauthorized access to the data, and a spokesperson told The Charlotte Business Journal that the number of affected customers is "small." Nevertheless, because the breach involved some extremely sensitive information, the bank is providing potentially involved customers two years' worth of identity theft protection. The incident should have no bearing on the clients' Paycheck Protection Program applications, and all in all, it doesn't look like the worst leak in the world. A leak is a leak, however, and we must learn from it.

BofA wasn't the only bank to test the system, but it is the only one who is disclosing a potential data exposure, which may or may not suggest that other lenders used dummy or invalid information. Whatever the case, data security experts at the bank should probably think about the policies employed when processing customers' personal and business details. They're not the only ones who should be drawing conclusions from all this, though.

It's obvious that the SBA didn't have the time to properly test the Paycheck Protection Program system, but about a month before Bank of America discovered this glitch, the agency went through another, unrelated incident which suggests that data security should probably be pushed up SBA's priority list. In that case, a vulnerability threatened to expose the private and business information of 8,000 applicants to the Economic Injury Disaster Loan program.

The coronavirus pandemic can't be an excuse for poor handling of people's data. Hopefully, everyone responsible will understand this before it's too late.

May 27, 2020

Leave a Reply