[BreachExchange] Application for disaster loans exposed business owners' personal data

[Destry Winant]

https://www.newsday.com/news/health/coronavirus/sba-emergency-loan-security-1.43485699

About 100 business owners had personal information exposed when they
used a government online portal that was unsecured to apply for
federal disaster loans, officials said Friday.

The information, including names, addresses, birth dates and Social
Security numbers, was exposed to other users of the online application
portal, according to the U.S. Small Business Administration, which
runs the disaster loan program.

The agency hasn’t yet provided geographic information for the business
owners who had their personal information exposed. However, they are
being notified individually and offered free credit monitoring for one
year.

SBA disabled the portal’s online application function on Wednesday. It
was unclear on Friday how long the personal information was exposed.

Applicants are being directed to download PDFs of the application
forms at disasterloan.sba.gov/apply-for-disaster-loan/index.html and
upon completion upload them to the SBA via the BOX widget on the
website. Completed applications also may be emailed to
disasterloans at sba,gov, faxed to 202-481-1505 or sent via postal mail
to the U.S. Small Business Administration Processing and Disbursement
Center, 14925 Kingsport Rd., Fort Worth, Texas, 76155.

“Personal identifiable information of approximately 100 Economic
Injury Disaster Loan applicants was potentially exposed to other
applicants on the SBA’s loan application site,” agency spokeswoman
Jennifer F. Kelly said Friday from Washington.  “We immediately
disabled the impacted portion of the website."

The agency said Thursday it has seen “a surge of applications from Long Island.”

The disaster loans are for up to $2 million per applicant and can be
repaid over a maximum of 30 years. The interest rate is 3.75%.