Breaking News

Experts warn the Small Business Administration's mishandling of the leak of disaster loan applicants' personal information could be a bad sign of things to come, as records show the agency has struggled with cybersecurity for years

Shayna Chapman, Ohio CPA
  • Government reports, auditors, and former officials say that for years technical issues have dogged the Small Business Administration, which is currently 'overwhelmed' by stimulus loan issues.  
  • This week a data breach on the agency website was handled badly, data-security experts say, as applicants like CPA Shayna Chapman of Ohio received nothing but a vague letter. 
  • The data breach follows years of cybersecurity issues – 35 at once were cited in a 2015 audit of the SBA, one of many audits to cite issues. Experts say this might mean the worst is yet to come. 
  • A former SBA official says the small agency is "overwhelmed and underfunded" and pressured for political reasons.
  • Applicants who are not receiving information from the SBA are getting realistic scam emails that successfully mimic the SBA website, IBM found in research released Thursday. 
  • Visit Business Insider's homepage for more stories.
Shayna Chapman, an accountant in the tiny Appalachian town of Gallipolis, Ohio, applied for a loan with the Small Business Administration on March 25, seeking relief funds to help her business in the wake of COVID-19.
She heard nothing back until three weeks later when she received what she described as "a very odd, generic letter" saying her data may have been exposed on the SBA website. Indeed, this week, the agency said that as many as 8,000 loan applicants may have been affected by the breach.
"I thought it might be a scam. I couldn't find any more information about it online. I finally verified it, and I was like, Are you kidding? I went straight from applying to getting this generic letter? That's it? Nothing before and nothing since?" Chapman still doesn't know if she was approved for her loan. 
SBA loans are the centerpiece of the US government's relief program to restart the economy after COVID-19. The agency of 3,300 just oversaw $350 billion in taxpayer-funded loans in two weeks –  and another larger round of funding appears to be headed the SBA's way. That means the SBA website is the home page for small businesses seeking funds to pay their employees and get America back to work.
But cybersecurity experts say the data leak – and how it was handled – may be a bad sign that more security issues are ahead. Records and auditors say there is a clear path of technical issues in the past. 
Five years ago, the Inspector General's office that audits the SBA found the agency "still needs to address long-standing security weaknesses identified in 35 open information technology (IT) audit recommendations."
But the issues have persisted. Three times in the past six months the IG warned the agency about cybersecurity issues, including in a report March 30 devoted entirely to those issues. "There is increased risk that management may not sufficiently identify and mitigate security risks," the report said. "We evaluated the overall program as not effective."
A spokesperson for the Inspector General's office that handles oversight of the SBA said "IT has been a persistent challenge for the SBA. That hurts their ability to plan and execute. It is definitely one of those areas where you need to have a robust, stable platform." Rushing to address urgent needs such as economic stimulus makes the IT issues a bigger risk, the auditor said.
A former SBA official says the pressure to send out loans immediately has overwhelmed the agency. Natalia Olson-Urtecho, a regional administrator at the SBA from 2012-2017, defends the staff at the agency. "They are overwhelmed and underfunded. We needed to do an emergency package – politically speaking. Congress and the White House are trying to get a lot of things done in a short period of time."
"Have best practices like data-centric security been traded-off to launch quickly, leading to further exposure and attack down the line?" asked Mark Bower, a senior vice president at the cybersecurity firm Comforte AG.
The SBA did not respond to repeated requests for comment from Business Insider.

The handling of the data breach attracts criticism

Data privacy experts say the SBA failed in its handling of the March data breach, in which 8,000 loan applicants' information may have been exposed on the SBA website.
The agency said in a letter to Shayna Chapman and others:  "The SBA discovered on March 25, 2020 SBA's disaster loan application website may have led to inadvertent disclosure to personally identifiable information (PII) to other applicants. We immediately disabled the website. To date there is no evidence to suggest that there has been any attempt to misuse the information."
That doesn't cut it, according to an expert on the subject.
"The announcement is opaque – 'We had a problem. We fixed it. Nothing to see here.' Most small businesses have been checking their inboxes for emails from the SBA telling them whether or not they are eligible for a loan, and 8,000 received an email offering them a free credit monitoring," said Colin Bastable, CEO of security awareness training company Lucy Security.
It's unclear if the SBA publicly acknowledged the data leak anywhere, except to confirm the information in the letter sent to Chapman and others.
A vague letter from the SBA was especially confusing at a time when hackers are expertly mimicking the agency's communications.
SBA email spoof
IBM found in research released Thursday that hackers have successfully "spoofed" the SBA website in phishing emails promising information on stimulus loans. That means emails that contain computer viruses look like they actually have come from, the agency's website, because cyber criminals have been able to recreate the domain in the sender's email address.
Lack of information in light of all the struggles loan applicants have gone through is what troubles Shayna Chapman, who helped 17 of her clients in small-town Ohio to apply for SBA loans. Two were approved. Fifteen of them never heard anything back.
"I know this is all happening very fast, and it's very complicated, and the SBA has good intentions," says the Ohio CPA. "But it sure would have been nice to get more communication. People just don't know what's going on."
Join the conversation about this story »
NOW WATCH: Why electric planes haven't taken off yet


Press Release Distribution

No comments