Breach Notification , COVID-19 , Governance & Risk Management
Bank of America: COVID-19 Loan Data May Have Leaked
Client Data May Have Been Exposed During Test of SBA Loan PlatformBank of America disclosed this week that some customers' data may have been exposed during the uploading of loan applications related to the Paycheck Protection Program - a U.S. government initiative created to provide business loans during the COVID-19 pandemic.
See Also: How to Secure Cloud Migrations for Azure
In a notification letter filed with the California Attorney General's Office this week, Bank of America notes that the security incident happened on April 22, when the bank was uploading Paycheck Protection Program applications into a U.S. Small Business Administration “limited access” test platform. This was being done to ensure the process for uploading Paycheck Protection Program loan information worked correctly, according to the bank.
Bank of America did not reveal the number of clients whose data was involved in the application test upload. The bank noted, however, that it has processed more than 305,000 Paycheck Protection Program loan applications over the last several weeks, with the SBA lending about $25 billion to the bank’s clients to help small businesses continue operations during the COVID-19 pandemic.
The incident did not impact the submission of any loan application to the SBA, the bank says.
Bank of America is offering those affected by the apparent data leak a prepaid two-year membership in an identity theft protection service, according to the notification letter.
Data Exposed
The information possibly exposed during this incident included address and tax identification number for the business seeking the loan, along with some of the owner's personal information, such as, name, address, Social Security number, phone number, email address and citizenship, according to the bank.
"During testing, we discovered information included in your application may have been visible for a limited time period to a limited number of other lenders and their vendors authorized by the SBA to participate in the program," Bank of America wrote in the notification letter.
After the incident was discovered, Bank of America asked the SBA to remove its information from the test website, which it confirmed was accomplished on April 22. Even though some of the client and customer data was visible to "other lenders and their vendors authorized by the SBA to participate in the program," Bank of America does not believe any of the information was actually viewed by any of the other lenders, according to the notification letter.
Previous Security Incidents
In March, the SBA reported that a flaw in an online application portal for its Economic Injury Disaster Loan program exposed the personal data of approximately 8,000 loan applicants (see: SBA May Have Exposed Data on 8,000 Loan Applicants ).
It's not clear if the incident involving Bank of America was related to the possible data breach at the SBA, and a spokesperson for the agency could not be immediately reached for comment on Thursday.
When President Donald Trump signed the $2.2 trillion stimulus bill, known as the CARES Act, in March, it included money for the Paycheck Protection Program, which quickly ran out due to demand.
In April, Trump signed a new aid package that included $320 billion more for the Paycheck Protection Program and about $60 billion earmarked for the Economic Injury Disaster Loan program.