The House of Representatives passed legislation to increase SBA disaster lending by an additional $ 60 billion. This is the good news …
On Thursday April 23, the House of Representatives adopted a provisional law this will add $ 310 billion (£ 250 billion) to the paycheck protection program (PPP) budget. Due to being signed by President Trump on Friday, April 24, the Paycheck Protection Program and Better Healthcare Act will also set aside $ 60 billion (£ 48.6 billion) for new economic disaster loans for small businesses.
The Small Business Administration (SBA) that manages Economic Disaster Lending (EIDL) applications will no doubt be delighted that funding has received this boost. Less fortunate, I suppose, will be the 7,913 past EIDL applicants who have received notifications from the SBA of a data breach. A violation that could mean that their application data was accessible to other applicants.
What SBA application data has potentially been hacked?
The security issue was discovered by the SBA on March 25 and came to light after notification letters sent to potentially affected business candidates were posted online. The letters confirmed that data that could have been exposed to other applicants using the system included social security numbers, addresses, phone numbers, dates of birth, household size, income and information financial and insurance.
A potential treasure trove of data for anyone looking to use social engineering methods like phishing to defraud a business. Especially given that research published this week by IBM Security found that only 14% of small business owners thought they were “very knowledgeable” about the small business loan relief program. IBM also warned that it had seen a 6,000% increase since March 11 in the type of malicious criminal email. campaigns masquerading as the Small Business Administration.
Hitting the back button was all it took
The problem, it seems, is due to a security flaw in the online loan application portal which meant that hitting the back button during the process could have displayed the loan application data. another business.
While no technical information regarding the breach methodology has been made public, it appears remarkably similar to a breach suffered by the Steam game store in 2015. As Ars Technica reported At the time, the Steam site was under the pressure of denial of service traffic and was very busy on Christmas Day. To handle the traffic load, an updated caching configuration meant that authenticated pages could be cached and served to subsequent users.
I imagine the SBA loan application site was in high demand as well, so such a scenario would definitely fit.
Has any of this data been used maliciously?
“The information is still too limited to assess the potential impact of the incident,” said Corin Imai, senior security advisor at DomainTools, “but despite no signs of the data being used for malicious purposes, it is still important for all concerned parties to beware of social engineering attacks. ”
Senator Ben Sasse (R-NE) said, in a online statement, “Americans are fighting to keep their businesses alive and the last thing they should have to worry about is whether their federal government is competent enough to protect their personal information.”
SBA Offers Credit Monitoring and Million Dollar Insurance Policy to Potentially Affected Businesses
SBA breach notification letters indicated that as of April 13, there had been no evidence to suggest that the information had been misused and that the affected website was “immediately deactivated” as the risk was mitigated. as soon as it is discovered. The SBA had “put in additional safeguards to prevent inadvertent future disclosure,” the letter continued. It also offered the recipients of the notification 12 months of credit and identity checks, a credit report and a $ 1million (£ 810,960) insurance reimbursement policy.