SBA Gets $60 Billion Boost, Confirms Disaster Loan ‘Back Button’ Data Breach

The House of Representatives has passed legislation to boost SBA disaster loans by another $60 billion. That’s the good news…

On Thursday, April 23, the House of Representatives passed interim legislation that will add $310 billion (£250 billion) to the Paycheck Protection Program (PPP) budget. Due to be signed Friday, April 24, by President Trump, the Paycheck Protection Program and Health Care Enhancement Act will also set aside $60 billion (£48.6 billion) for further economic disaster loans for small businesses. 

The Small Business Administration (SBA) which manages the applications for Economic Injury Disaster Loans (EIDL) will no doubt be pleased that funding has been given this boost. Less pleased, I suspect, will be the 7,913 prior EIDL applicants who have been receiving notifications from the SBA of a data breach. A breach that could mean their application data was accessible to other applicants.

What SBA application data was potentially breached?

The security problem was discovered by the SBA on March 25 and came to light after notification letters sent to potentially impacted business applicants were published online. The letters confirmed that data which could have been exposed to other applicants using the system included social security numbers, addresses, phone numbers, dates of birth, household size, income and both financial and insurance information.

A potential treasure-trove of data for anyone looking to use social engineering methods such as phishing to defraud a business. Especially given that research published this week by IBM Security revealed that just 14% of small business owners thought they were “very knowledgeable” when it came to the small business loan relief program. IBM also warned it had seen a 6,000% increase since March 11 in the kind of malicious criminal email campaigns that impersonate the Small Business Administration.

MORE FROM FORBESStimulus Payment Breakdown Reveals ‘712’ Matters More Than $1,200 Or $2,000By Davey Winder

Hitting the back button was all it took

The problem, it would appear, happened thanks to a security flaw in the online loan application portal that meant hitting the back button during the process could have displayed application data from another business.

Although no technical information regarding the breach methodology has been made public, it appears remarkably similar to a breach experienced by the Steam gaming store in 2015. As Ars Technica reported at the time, the Steam site was under pressure from denial of service traffic as well as it being very busy on Christmas Day. To handle the traffic load, an updated caching configuration meant that authenticated pages could be cached and served up to subsequent users.

I imagine that the SBA loan application site was experiencing rather a lot of demand as well, so such a scenario would certainly fit.

Has any of this data been used maliciously?

“Information is still too limited to assess the potential impact of the incident,” Corin Imai, a senior security advisor at DomainTools, said, “but despite no signs of the data being used for malicious purposes, it is still important for all the affected parties to watch out for socially engineered attacks.”

Senator Ben Sasse (R-NE) said, in an online statement, “Americans are fighting to keep their businesses alive and the last thing they should have to worry about is whether or not their federal government is competent enough to protect their personal information.”

MORE FROM FORBESNot Got Your $1,200 Stimulus Check? Keep Calm And Trust GoogleBy Davey Winder

SBA offers credit monitoring and a $1 million insurance policy to potentially affected businesses

The SBA breach notification letters said that (as of April 13) there had been no evidence to suggest the information had been misused and that the website concerned was “immediately disabled,” with the risk mitigated upon discovery. The SBA had “implemented additional safeguards to prevent any future inadvertent disclosure,” the letter continued. It also went on to offer those in receipt of the notification 12 months of credit and identity monitoring, a credit report and a $1 million (£810,960) insurance reimbursement policy.