A flaw in SBA servers exposed credentials of 8,000 applicants

SBA takes PPP and EIDL services down temporarily due to a data breach affecting 8,000 applicants

SBA server glitch lead to personal data exposureDue to the flaw in SBA servers, the credentials of 8,000 applicants have been exposed to the others

US government is taking various measures to help small businesses to survive the current Coronavirus pandemic. A Small Business Association (SBA)[1] is one of the federal agencies expanded by Congress to grant law authorized loans to small business owners suffering losses during the pandemic. However, the company admitted on Tuesday that the company-owned program Economic Injury Disaster Loans (EIDL) experienced a glitch[2] on March 25, resulting in nearly 8,000 loan applicant's personal data exposed.

The SBA company closed the affected EIDL services down to fix the flaw and relaunched the application portal soon after that. The possible victims of a data leak were notified about an issue by paper mail, which contains the list of possibly disclosed personal information. According to SBA, there is a shred of evidence suggesting an attempt to misuse personally identifiable information, including SSN/TIN, addresses, date of birth, email address, phone number, marital status, citizenship status, household size, income, disclosure inquiry, financial and insurance information.

Did the SBA suffer a denial of service attack?

Although there's not much official information on the technical side of the SBA's data breach, except a quick explanation that the personally identifiable information might have been visible to other applicants. Trump's administration officials commented on the issue:

The official said that to access other business owners' information, small business applicants must have been in the loan application portal. If the user attempted to hit the page back button, he or she might have seen information that belonged to another business owner, not their own.

The agency does not expatiate on the type of flaw as well and describes the breach as an “inadvertent disclosure of personally identifiable information.”

However, similar issues have been registered with the Steam store in 2017[3]. The store's servers were down by a denial of service (DDoS). Alike the current problem with SBA, Steam's logged-in users were able to see other users' account data, including credit card numbers, email addresses, billing addresses, purchase history, and other personally identifiable information. The glitch has later been explained as a DDoS attack, which pushed the services to an abnormal load resulting in a disclosure of user's data.

The folk that received the paper mails from SBA approving the flaw are encouraged to use the identity theft protection services through ID Experts. A 12-month free subscription of the service is promised.

Spam email messages impersonating SBA company leverages

Whether it's a coincidence or not, but researches have found multiple phishing emails circulating on the Internet, misusing SBA's name and signatures. Apart from the most popular COVID-19 spam emails[4], criminals started disguising malicious programs under Small Business Association email scam[5] that imitate an application submission confirmation. The content of an email states:

Your application is complete and will be automatically submitted once all supporting documents are received. Please endeavor the small business disaster assistance grant, and fax or email completed form before March 25, 2020.

Please sign the attached completed Request for Transcript of Tax Return (IRS Form 4506-T) and unload it on the SBA website.
Vouchers to be used at testing centers are also attached. Note that vouchers are non-transferable.

U.S. Small Business Administration409 3rd St, SW. Washington DC 20416

Such email well-prepared and, some of them can be genuine. However, if you are not an owner of small business and did not submit an application for a loan on SBA's website, most likely, your email has been leaked and became a target for hackers. Do not open such and similar emails as the attachment may be infected.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions

References
Files
Software
Compare