Skip to main content

Experts warn the Small Business Administration's mishandling of the leak of disaster loan applicants' personal information could be a bad sign of things to come, as records show the agency has struggled with cybersecurity for years

Shayna Chapman, Ohio CPA

  • Government reports, auditors, and former officials say that for years technical issues have dogged the Small Business Administration, which is currently 'overwhelmed' by stimulus loan issues.  
  • This week a data breach on the agency website was handled badly, data-security experts say, as applicants like CPA Shayna Chapman of Ohio received nothing but a vague letter. 
  • The data breach follows years of cybersecurity issues – 35 at once were cited in a 2015 audit of the SBA, one of many audits to cite issues. Experts say this might mean the worst is yet to come. 
  • A former SBA official says the small agency is "overwhelmed and underfunded" and pressured for political reasons.
  • Applicants who are not receiving information from the SBA are getting realistic scam emails that successfully mimic the SBA website, IBM found in research released Thursday. 
  • Visit Business Insider's homepage for more stories.

Shayna Chapman, an accountant in the tiny Appalachian town of Gallipolis, Ohio, applied for a loan with the Small Business Administration on March 25, seeking relief funds to help her business in the wake of COVID-19.

She heard nothing back until three weeks later when she received what she described as "a very odd, generic letter" saying her data may have been exposed on the SBA website. Indeed, this week, the agency said that as many as 8,000 loan applicants may have been affected by the breach.

"I thought it might be a scam. I couldn't find any more information about it online. I finally verified it, and I was like, Are you kidding? I went straight from applying to getting this generic letter? That's it? Nothing before and nothing since?" Chapman still doesn't know if she was approved for her loan.  

SBA loans are the centerpiece of the US government's relief program to restart the economy after COVID-19. The agency of 3,300 just oversaw $350 billion in taxpayer-funded loans in two weeks –  and another larger round of funding appears to be headed the SBA's way. That means the SBA website is the home page for small businesses seeking funds to pay their employees and get America back to work.

But cybersecurity experts say the data leak – and how it was handled – may be a bad sign that more security issues are ahead. Records and auditors say there is a clear path of technical issues in the past.  

Five years ago, the Inspector General's office that audits the SBA found the agency "still needs to address long-standing security weaknesses identified in 35 open information technology (IT) audit recommendations." 

But the issues have persisted. Three times in the past six months the IG warned the agency about cybersecurity issues, including in a report March 30 devoted entirely to those issues. "There is increased risk that management may not sufficiently identify and mitigate security risks," the report said. "We evaluated the overall program as not effective." 

A spokesperson for the Inspector General's office that handles oversight of the SBA said "IT has been a persistent challenge for the SBA. That hurts their ability to plan and execute. It is definitely one of those areas where you need to have a robust, stable platform." Rushing to address urgent needs such as economic stimulus makes the IT issues a bigger risk, the auditor said. 

A former SBA official says the pressure to send out loans immediately has overwhelmed the agency. Natalia Olson-Urtecho, a regional administrator at the SBA from 2012-2017, defends the staff at the agency. "They are overwhelmed and underfunded. We needed to do an emergency package – politically speaking. Congress and the White House are trying to get a lot of things done in a short period of time."

"Have best practices like data-centric security been traded-off to launch quickly, leading to further exposure and attack down the line?" asked Mark Bower, a senior vice president at the cybersecurity firm Comforte AG.

The SBA did not respond to repeated requests for comment from Business Insider.

The handling of the data breach attracts criticism

Data privacy experts say the SBA failed in its handling of the March data breach, in which 8,000 loan applicants' information may have been exposed on the SBA website.

The agency said in a letter to Shayna Chapman and others:  "The SBA discovered on March 25, 2020 SBA's disaster loan application website may have led to inadvertent disclosure to personally identifiable information (PII) to other applicants. We immediately disabled the website. To date there is no evidence to suggest that there has been any attempt to misuse the information."

That doesn't cut it, according to an expert on the subject.

"The announcement is opaque – 'We had a problem. We fixed it. Nothing to see here.' Most small businesses have been checking their inboxes for emails from the SBA telling them whether or not they are eligible for a loan, and 8,000 received an email offering them a free credit monitoring," said Colin Bastable, CEO of security awareness training company Lucy Security.

It's unclear if the SBA publicly acknowledged the data leak anywhere, except to confirm the information in the letter sent to Chapman and others. 

A vague letter from the SBA was especially confusing at a time when hackers are expertly mimicking the agency's communications. 

SBA email spoof

IBM found in research released Thursday that hackers have successfully "spoofed" the SBA website in phishing emails promising information on stimulus loans. That means emails that contain computer viruses look like they actually have come from sba.gov, the agency's website, because cyber criminals have been able to recreate the domain in the sender's email address. 

Lack of information in light of all the struggles loan applicants have gone through is what troubles Shayna Chapman, who helped 17 of her clients in small-town Ohio to apply for SBA loans. Two were approved. Fifteen of them never heard anything back.

I know this is all happening very fast, and it's very complicated, and the SBA has good intentions. But it sure would have been nice to get more communication. People just don't know what's going on."

Join the conversation about this story »

NOW WATCH: What makes 'Parasite' so shocking is the twist that happens in a 10-minute sequence



Udimi - Buy Solo Ads from Tech Insider https://ift.tt/2yJ21vp
via IFTTT
Labels:

Comments

Post a Comment

Popular posts from this blog

9 VCs in Madrid and Barcelona discuss the COVID-19 era and look to the future

Spain’s startup ecosystem has two main hubs: Madrid and Barcelona. Most observers place Barcelona first and Madrid second, but the gap appears to close every year. Barcelona has benefitted from attracting expats in search of sun, beach and lifestyle who tend to produce more internationally minded startups. Madrid’s startups have predominantly been Spain or Latin America-focused, but have become increasingly international in nature. Although not part of this survey, we expect Valencia to join next year, as city authorities have been going all-out to attract entrepreneurs and investors. The overall Spanish ecosystem is generally less mature than those in the U.K., France, Sweden and Germany, but it has been improving at a fast clip. More recently, entrepreneurs in Spain have moved away from emulating success in pursuit of innovative technologies. Following the financial crisis, the Spanish government supported the creation of startups with the launch of FOND-ICO GLOBAL, a €1.5 billi...
Post a Comment
Read more

Emulating USB Dongle – Introducing HASP Dongle Emulator Software

Information Technology Blog - - Emulating USB Dongle – Introducing HASP Dongle Emulator Software - Information Technology Blog Over the years the methods used by software developers and producers to limit the amount of users to a specific number in a licensing agreement have become more complex.  The aim of copy protection is to protect the intellectual rights and financial investment of the individual developers and manufacturing companies.   A way of getting around this protection is to reproduce the media through which you can deliver the application to other users,  meaning that the software can be replicated far in excess of that specified in the license. One of the most common methods has been to use hardware keys or dongles which will enable the user to activate an application, unlocking its full functionality without using a device.  In addition, it offers good protection against attempts to pirate the software. In this article, we will look at th...
1 comment
Read more

Advantages and Disadvantages of using Vouchers in eCommerce

Information Technology Blog - - Advantages and Disadvantages of using Vouchers in eCommerce - Information Technology Blog To decide whether vouchers and coupons are the right tool to add to your online marketing strategy, it is essential that you consider the benefit and the cost of using coupons. In this article, we will use Gtech coupon marketing strategy as an example a successful coupon strategy.  Also check out these great books on coupon codes for ecommerce . Advantages of Using Coupons Increase Sales This is the obvious benefit. Coupons serve to increase sales especially for high ticket items such as luxury gadgets. Gtech discount codes is a good example as Gtech quality is reflected on the price of both the Gtech eBike and Gtech AirRam. In order to boost sales, the company releases 10% off offers certain times of the year when online sales would normally be low. Enlarge Email List Acquiring a customer can be expensive in terms of advertising and marketing. If yo...
1 comment
Read more