- A subset of sensitive data belonging to PPP loan applicants has been exposed to lenders and their associates.
- The security lapse came through a mistake when setting up a testing platform used by the SBA.
- The bank responsible for the blunder has now secured two years of identity protection services for the compromised clients.
The ‘Bank of America’ is sending notices of a data breach over to the impacted clients, after mishandling the data of a subset of people who applied for PPP (Paycheck Protection Program) loans. The financial institution was working together with the SBA (Small Business Administration) and the U.S. Treasury over the past couple of weeks, trying to process over 305,000 loan applications that would result in the handing out of $25 billion in financial relief. This would be a well-needed breath of fresh air for small businesses that got crushed by the COVID-19 pandemic. Still, for some of them, an additional problem to deal with has just been added.
The Bank of America has uploaded some of the loan applications to a test application platform controlled by the SBA. It was supposed to help the applicants get accustomed with the submission process. This happened on April 22, 2020, when the involved vendors and authorized lenders got access to the system to test the platform from their side as well. The bank quickly figured that this was a mistake, as the vendors could see the applicant’s information that they had uploaded.
This event doesn’t impact the loan submission process for the compromised applicants. Still, it has exposed some sensitive details to other parties, like their tax identification number (TIN), full names, phone numbers, email addresses, citizenship, physical address, Social Security Number (SSN), business name, business address, business contact information, and other details. It doesn’t mean that all of the above was accessed or exfiltrated by the lenders, as it would be unlikely that their agents would have any interest in this information. However, the exposure happened nonetheless, and the compromised individuals have to take precautionary protection measures no matter what the risk level is.
In this context, the Bank of America has arranged for a complimentary two-year membership in the Experian IdentityWorks identity theft protection service. The service includes daily credit reports and monitoring, internet surveillance, and quick resolution in the case of fraud detection. The compromised individuals will have to register in the program by calling “866-617-1920.” If you want to know what parts of your sensitive information have been exposed, call the Bank’s Privacy Response Unit instead, at “1-800-252-2867.”
Other than that, stay vigilant against scam emails. Scammers may try to convince you to re-apply for a loan by entering your information on a phishing platform that may look like the actual SBA platform. Your application hasn’t been affected by this incident, so you don’t need to do anything regarding the loan application.