Bank of America Corporation has disclosed a data breach affecting clients who have applied for the Paycheck Protection Program (PPP).
Client information was exposed on April 22 when the bank uploaded PPP applicants' details onto the US Small Business Administration's test platform. The platform was designed to give lenders the opportunity to test the PPP submissions before the second round of applications kicked off.
The breach was revealed in a filing made by Bank of America with the California Attorney General's Office. As a result of the incident, other SBA-authorized lenders and their vendors were able to view clients' information.
Data exposed in the breach consisted of details relating not only to individual businesses, but also to their owners. Compromised data may have included the business address and tax identification number along with the owner's name, address, Social Security number, phone number, email address, and citizenship status.
Bank of America, which is headquartered in Charlotte, North Carolina, said that access to the information was limited.
In a breach notification document, a spokesperson for the bank said: "There is no indication that your information was viewed or misused by these lenders or their vendors. And your information was not visible to other business clients applying for loans, or to the public, at any time."
The bank neglected to share any specifics of which applicants were affected by the breach, stating only that it was a "small number" of clients. The exposed data was drawn from a pool of nationwide applications, meaning that businesses in multiple states may have been impacted.
More than 305,000 PPP relief applications have been processed by Bank of America with the SBA.
Upon discovering the breach, the bank asked the Small Business Administration to remove the visible information. According to the filing, the SBA resecured the exposed data within one day of its being accidentally exhibited.
The bank said that the PPP application and submission processes were not affected by the cybersecurity mishap. An internal investigation has been launched to determine how the data came to be exposed.
Bank of America is offering clients affected by the breach free two-year membership of Experian's identity theft protection program.