Almost 8,000 business owners who applied for a loan from the Small Business Administration may have had their personal information exposed to other applicants, the SBA admitted on Tuesday.
The breach relates to a long-standing SBA program called Economic Injury Disaster Loans (EIDL). It has traditionally been used to aid owners whose businesses are disrupted by hurricanes, tornadoes, or other disasters. It was recently expanded by Congress in the $2.2 trillion CARES Act. In addition to loans, the law authorized grants of up to $10,000 that don't need to be paid back. The EIDL program is separate from the larger Paycheck Protection Program that was also part of the CARES Act. The SBA says that PPP applicants were not affected by the breach.
A Trump administration official described the problem to CNBC : The official said that in order to access other business owners' information, small business applicants must have been in the loan application portal. If the user attempted to hit the page back button, he or she may have seen information that belonged to another business owner, not their own.
