Skip to main content

Experts warn the Small Business Administration's mishandling of the leak of disaster loan applicants' personal information could be a bad sign of things to come, as records show the agency has struggled with cybersecurity for years

Shayna Chapman, Ohio CPA

  • Government reports, auditors, and former officials say that for years technical issues have dogged the Small Business Administration, which is currently 'overwhelmed' by stimulus loan issues.  
  • This week a data breach on the agency website was handled badly, data-security experts say, as applicants like CPA Shayna Chapman of Ohio received nothing but a vague letter. 
  • The data breach follows years of cybersecurity issues – 35 at once were cited in a 2015 audit of the SBA, one of many audits to cite issues. Experts say this might mean the worst is yet to come. 
  • A former SBA official says the small agency is "overwhelmed and underfunded" and pressured for political reasons.
  • Applicants who are not receiving information from the SBA are getting realistic scam emails that successfully mimic the SBA website, IBM found in research released Thursday. 
  • Visit Business Insider's homepage for more stories.

Shayna Chapman, an accountant in the tiny Appalachian town of Gallipolis, Ohio, applied for a loan with the Small Business Administration on March 25, seeking relief funds to help her business in the wake of COVID-19.

She heard nothing back until three weeks later when she received what she described as "a very odd, generic letter" saying her data may have been exposed on the SBA website. Indeed, this week, the agency said that as many as 8,000 loan applicants may have been affected by the breach.

"I thought it might be a scam. I couldn't find any more information about it online. I finally verified it, and I was like, Are you kidding? I went straight from applying to getting this generic letter? That's it? Nothing before and nothing since?" Chapman still doesn't know if she was approved for her loan.  

SBA loans are the centerpiece of the US government's relief program to restart the economy after COVID-19. The agency of 3,300 just oversaw $350 billion in taxpayer-funded loans in two weeks –  and another larger round of funding appears to be headed the SBA's way. That means the SBA website is the home page for small businesses seeking funds to pay their employees and get America back to work.

But cybersecurity experts say the data leak – and how it was handled – may be a bad sign that more security issues are ahead. Records and auditors say there is a clear path of technical issues in the past.  

Five years ago, the Inspector General's office that audits the SBA found the agency "still needs to address long-standing security weaknesses identified in 35 open information technology (IT) audit recommendations." 

But the issues have persisted. Three times in the past six months the IG warned the agency about cybersecurity issues, including in a report March 30 devoted entirely to those issues. "There is increased risk that management may not sufficiently identify and mitigate security risks," the report said. "We evaluated the overall program as not effective." 

A spokesperson for the Inspector General's office that handles oversight of the SBA said "IT has been a persistent challenge for the SBA. That hurts their ability to plan and execute. It is definitely one of those areas where you need to have a robust, stable platform." Rushing to address urgent needs such as economic stimulus makes the IT issues a bigger risk, the auditor said. 

A former SBA official says the pressure to send out loans immediately has overwhelmed the agency. Natalia Olson-Urtecho, a regional administrator at the SBA from 2012-2017, defends the staff at the agency. "They are overwhelmed and underfunded. We needed to do an emergency package – politically speaking. Congress and the White House are trying to get a lot of things done in a short period of time."

"Have best practices like data-centric security been traded-off to launch quickly, leading to further exposure and attack down the line?" asked Mark Bower, a senior vice president at the cybersecurity firm Comforte AG.

The SBA did not respond to repeated requests for comment from Business Insider.

The handling of the data breach attracts criticism

Data privacy experts say the SBA failed in its handling of the March data breach, in which 8,000 loan applicants' information may have been exposed on the SBA website.

The agency said in a letter to Shayna Chapman and others:  "The SBA discovered on March 25, 2020 SBA's disaster loan application website may have led to inadvertent disclosure to personally identifiable information (PII) to other applicants. We immediately disabled the website. To date there is no evidence to suggest that there has been any attempt to misuse the information."

That doesn't cut it, according to an expert on the subject.

"The announcement is opaque – 'We had a problem. We fixed it. Nothing to see here.' Most small businesses have been checking their inboxes for emails from the SBA telling them whether or not they are eligible for a loan, and 8,000 received an email offering them a free credit monitoring," said Colin Bastable, CEO of security awareness training company Lucy Security.

It's unclear if the SBA publicly acknowledged the data leak anywhere, except to confirm the information in the letter sent to Chapman and others. 

A vague letter from the SBA was especially confusing at a time when hackers are expertly mimicking the agency's communications. 

SBA email spoof

IBM found in research released Thursday that hackers have successfully "spoofed" the SBA website in phishing emails promising information on stimulus loans. That means emails that contain computer viruses look like they actually have come from sba.gov, the agency's website, because cyber criminals have been able to recreate the domain in the sender's email address. 

Lack of information in light of all the struggles loan applicants have gone through is what troubles Shayna Chapman, who helped 17 of her clients in small-town Ohio to apply for SBA loans. Two were approved. Fifteen of them never heard anything back.

I know this is all happening very fast, and it's very complicated, and the SBA has good intentions. But it sure would have been nice to get more communication. People just don't know what's going on."

Join the conversation about this story »

NOW WATCH: What makes 'Parasite' so shocking is the twist that happens in a 10-minute sequence



Udimi - Buy Solo Ads from Tech Insider https://ift.tt/2yJ21vp
via IFTTT

Comments

Popular posts from this blog

9 VCs in Madrid and Barcelona discuss the COVID-19 era and look to the future

Spain’s startup ecosystem has two main hubs: Madrid and Barcelona. Most observers place Barcelona first and Madrid second, but the gap appears to close every year. Barcelona has benefitted from attracting expats in search of sun, beach and lifestyle who tend to produce more internationally minded startups. Madrid’s startups have predominantly been Spain or Latin America-focused, but have become increasingly international in nature. Although not part of this survey, we expect Valencia to join next year, as city authorities have been going all-out to attract entrepreneurs and investors. The overall Spanish ecosystem is generally less mature than those in the U.K., France, Sweden and Germany, but it has been improving at a fast clip. More recently, entrepreneurs in Spain have moved away from emulating success in pursuit of innovative technologies. Following the financial crisis, the Spanish government supported the creation of startups with the launch of FOND-ICO GLOBAL, a €1.5 billi...

How to Stay Creative and Keep SEO in Mind

Information Technology Blog - - How to Stay Creative and Keep SEO in Mind - Information Technology Blog Search engine optimization (SEO) refers to customizing your website’s content to ensure that web browsers give your website a high SEO score. The sites with the highest SEO scores are featured on the search engine’s first page of search results for relevant searches.  71%  of the click-throughs happen with articles listed on the first page of results on the search engine. This means that if your website’s article is the second (or third, or fourth page), it’s less likely the search user will even see your article. You want your article to be ranking as close to the top of the first page of results as possible. In order to have a good SEO score your site’s content needs to feature keywords and relevant phrases. It must be optimized for easy navigation between pages. It also needs to be referenced via external links that drive traffic to your site. Incorporating all of t...

Everything we know about HHS Protect, a secretive government project with Peter Thiel's Palantir that helps brief Trump's coronavirus task force

A secretive project at the US Department of Health and Human Services is working with technology companies to collect and analyze data related to the novel coronavirus .  Dubbed "HHS Protect," the effort tracks information from around the country about coronavirus case numbers, hospital capacity, and even supply chain issues.  HHS uses Palantir Technologies , a data firm cofounded by Peter Thiel, to distill that information for the White House coronavirus task force. Visit Business Insider's homepage for more stories . A secretive project at the US Department of Health and Human Services is working with technology companies to collect and analyze data related to the novel coronavirus.  Dubbed "HHS Protect," the effort includes roughly 2.5 billion pieces of data from healthcare providers, government officials, and labs around the country about coronavirus case numbers, hospital capacity, and even supply chain issues.  The goal is learn about the progress...