SBA reports data breach in disaster loan application website

The Small Business Administration reported a potential breach last month in its website that handles loan applications.

The agency said Tuesday the personal information of nearly 8,000 business owners applying for economic injury disaster loans was potentially seen by other applicants on the SBA website on March 25. The SBA said only the disaster loan program was affected, not the Paycheck Protection Program, which did not begin until April 3 and which is handled by a separate system.

Carol Wilkerson, an SBA spokeswoman, said in a statement the agency has notified the 7,913 owners whose information may have been exposed and offered them a year of free credit monitoring. The agency immediately disabled the affected part of its system, Wilkerson said.

Business owners have previously had issues with the disaster loan website. The site was taken down for maintenance for several hours on March 16, and owners could not apply during that time. On March 29, the SBA relaunched its application for the disaster loans and owners had to reapply. Many learned days or weeks later that they needed to reapply.

The SBA also said it had processed more than 755,000 disaster loan advances, $10,000 each and totaling nearly $3.3 billion as of Monday. The advances are essentially grants. The agency also said it processed nearly 27,000 disaster loans totaling nearly $5.6 billion.

Business owners apply for disaster loans directly to the SBA website, http://www.sba.gov, unlike the paycheck protection loans that are sought through banks and then approved by the SBA.

Congress and President Donald Trump reached a tentative agreement Tuesday to add $300 billion to the Paycheck Protection Program, which ran through its initial $349 billion appropriation last week after the SBA approved more than a million loans. Thousands of business owners have applications waiting to be sent to the SBA for approval, or are waiting to apply.

You might also like
Leave A Reply

Your email address will not be published.