The Bank of America Corporation has confirmed it has discovered a data breach that may have potentially compromised the details of the 305,000 Paycheck Protection Program (PPP) loans it has processed in recent weeks.
According to reports, “the breach occurred on April 22, as BofA uploaded PPP applications onto the U.S. Small Business Administration’s test platform, according to a filing with the California Attorney General’s Office. The limited-access platform allowed lenders to test PPP submissions before the second round began.”
Bank of America wrote in a notification letter that “during testing, we discovered information included in your application may have been visible for a limited time period to a limited number of other lenders and their vendors authorized by the SBA to participate in the program.”
Financial institutions associated with the Small Business Administration as well as their vendors were able to view the information of clients submitting their applications. The bank, however, has stated that the details on offer were extremely limited.
“There is no indication that your information was viewed or misused by these lenders or their vendors,” Bank of America told its clients, adding that “your information was not visible to other business clients applying for loans, or to the public, at any time.”
It’s likely that the information included was made up of sensitive details on the organisation, as well as owners who were applying. This, according to Sarah Coble could include “business address and tax identification number along with the owner’s name, address, social security number, phone number, email address and citizenship status.”
It offered its clients that might have been implicated in the data breach complimentary access to its identity theft program in the case that their information was indeed accessed, and could be leveraged by scammers and cybercriminals in phishing campaigns.
Bank of America has not confirmed which, or how many applicants had their details exposed, stating instead that it remained a problem isolated to a “small number” of its clients. For reference, Bank of America says it has processed more than 300,000 Paycheck Protection Program applications.
The Small Business Administration has said that it moved quickly to remove any visible information on its site, and according to the filing submitted to the Californian Attorney General, the SBA managed to address all exposed data within a 24-hour period of first becoming visible.
Bank of America has reassured its clients that their submissions for the PPP have not been impacted by the data breach, adding that the bank has moved to launch an internal investigation into the matter to examine how the data was exposed in the first place.
The SBA’s Paycheck Protection Program has run into a number of hurdles as it rolls out more than half a trillion dollars to small and medium-sized businesses that are struggling as a result of the COVID-19 pandemic. We reported last month that the website had crashed within minutes of launching the second round of PPP applications online.
Forbes is reporting that the SBA has now approved more than $511 billion worth of PPP loans for small businesses in the U.S.
For more information on our ISO 27001 – Information Security Management Systems – or for your free ISO 27001 Gap Analysis Checklist, please click here.