The Personally Identifiable Information (PII) of 7,913 business owners who applied for an Economic Injury Disaster Loan may have been exposed to other applicants on the application site. Potentially exposed information includes Social Security numbers, addresses, dates of birth, and financial data, among other credentials. At this time, there is no evidence that this information has been misused.
The portal has since been fixed and the site has re-launched. Further, affected businesses have been offered a year of free credit monitoring. In the wake of a breach, it is important that companies offer the victims identity protections services. However, according to 4iQ’s 2019 Identity Protection & Data Breach Survey, more than half of respondents did not enroll in credit monitoring services offered by companies following a breach. It is apparent that many people do not see the value in these sort of services, which needs to change.
The official said that in order to access other business owners' information, small business applicants must have been in the loan application portal. If the user attempted to hit the page back button, he or she may have seen information that belonged to another business owner, not their own.