Thousands of US businesses may have had personal information (PII) leaked online after a government agency error led to problems with applications for economic relief.
The Small Business Administration (SBA) admitted the error in a letter to affected companies widely reported in the US this week.
It claimed that a problem was discovered with the online portal used by businesses to apply for Economic Injury Disaster Loans (EIDLs). Unspecified “personal identifiable information” linked to 7900 businesses may have been disclosed to other applicants of the program.
This included Social Security numbers, income amounts, names, addresses and contact information, according to Politico.
“We immediately disabled the impacted portion of the website, addressed the issue, and relaunched” the portal, an SBA spokesperson told NPR in an emailed statement.
EIDLs predate the current coronavirus pandemic but have been ramped up with more federal funding to keep the nation’s small businesses afloat with grants of up to $10,000. They’re part of a massive $2tn stimulus package designed to help the country weather the current global health and economic crisis.
Another instrument used by Washington, the $349bn Paycheck Protection Program (PPP), is not thought to be affected.
However, the SBA has come in for criticism for technical glitches and administrative failings that have meant US businesses experiencing significant delays to their emergency government funding.
Jack Mannino, CEO at app security firm nVisium, argued that rigorous testing is essential before rolling out new services, even under strict time frames.
“The coronavirus pandemic has led to many public services scrambling to scale their systems and to build new functionality outside of their normal practices and methods,” he added. “It’s important to understand how these new services affect existing components and expose your users to new threats as you build secure development into your systems engineering.”