Lessons learned from the Small Business Administration's data breach

The event impacted the accounts of almost 8,000 people. Here are tips on how to protect yourself and your organization from website breaches.

How to limit the impact of data breaches

A data breach is an event that can affect any website, especially at the worst possible time. One of the latest organizations impacted by a breach is the Small Business Administration (SBA) through an incident in which the personal data of 7,913 users was mistakenly shared with other people. Though details about the SBA's website breach are minimal, the incident itself serves as a warning sign and wake-up call to many organizations on how to protect their user data.

This week, the SBA announced that the personal data of almost 8,000 people applying for loans had been seen by other loan applicants on its website on March 25. The people affected by the breach had been applying for money through the Economic Injury Disaster Loans (EIDL) program, which is designed to provide loan advances as high as $10,000 for businesses losing revenue due to the impact of COVID-19. In a statement shared with TechRepublic, the SBA acknowledged that personal information was exposed.

"Personal identifiable information of a limited number of Economic Injury Disaster Loan applicants was potentially exposed to other applicants on SBA's loan application site," the SBA said. "We immediately disabled the impacted portion of the website, addressed the issue, and relaunched the application portal."

In response, the SBA notified individuals who were potentially affected and offered them a free year of credit monitoring.

The breach itself occurred at a bad time—the agency has been unable to accept new applications for EIDL COVID-19-related assistance because new loan funding has yet to be approved and allocated by Washington. The EIDL website itself has also proved problematic. The site was offline for several hours on March 16 due to maintenance, during which time people couldn't apply for loans, according to The Associated Press. On March 29, the SBA changed its application process for loans, forcing businesses to have to reapply, a twist that many did not learn about until days or weeks later.

SEE: Cybersecurity: Let's get tactical (free PDF) (TechRepublic) 

In a letter sent to affected loan applicants that was obtained by AP, the SBA said it found no evidence that the exposed information had been misused. The data caught up in the breach included names, Social Security numbers, birth dates, financial information, email addresses, and phone numbers.

The exposure of SBA loan applicant data was reported by CBS News on April 4. One affected applicant told CBS that he had gone to the SBA website and found someone else's date of birth, Social Security number, email, phone numbers, and business address filled in on the loan registration page where he was supposed to enter his own details. Ten minutes after replacing the onscreen data with his own, the applicant received a phone call from a business in Delaware saying that it now had all of his data.

Without more information from the SBA, it's unknown how or why the breach occurred, or who was responsible for the data leak. But certain government agencies have been under greater pressure lately because of the coronavirus, forcing them to try to ramp up their capabilities and meet specific deadlines. That situation can easily lead to mistakes.

"As other high profile, rapidly built websites, such as Healthcare.gov, have demonstrated, failing to sufficiently security test all components under aggressive schedules can have a wide ranging impact," Jack Mannino, CEO at security provider nVisium, said. "The coronavirus pandemic has led to many public services scrambling to scale their systems and to build new functionality outside of their normal practices and methods. It's important to understand how these new services affect existing components and expose your users to new threats as you build secure development into your systems engineering."

What can businesses and website owners do to better protect themselves against data breaches before they occur?

"Every business should prepare themselves for the eventual announcement they have been a victim of a data breach," Heather Paunet, vice president of product management at SMB security provider Untangle, said. "However, there are steps that they can take to prepare, minimize, and protect themselves.

"Performing consistent network audits is fundamental," Paunet said. "Understanding which areas of the network may be vulnerable, addressing those with the appropriate security solution or software patch, and continuing to check and recheck can minimize how a cybercriminal can gain access to the network. This preparation also includes employee training, constant notifications about password updates, and segmenting the network by appropriate access."

Despite the necessary preparation and defenses, a website can still be the victim of a data breach, either from outside by a hacker or from inside due to employee carelessness. What should organizations do after a breach has occurred?

"Website owners, especially those with an e-commerce component should remove the ability for payment processing on their website until they understand how far and how deep this data breach goes into their system," Paunet said. "If this would create a financial hardship, orders can be completed via phone to support business income. Website owners should take the same precautions as a brick-and-mortar business—changing passwords, updating credentials, notifying financial institutions and then auditing the breach to fully understand how customers were affected."

Paunet also suggested that organizations should review their full website code, checking for any other suspicious code that may cause further problems down the road. Audits and alerts should also be part of the response.

"Businesses should audit their network and files, creating a detailed report of exactly what information has been compromised and start the process of alerting any customers or staff who may be victims of the breach," Paunet said. "Clear communication to those affected, outlining steps the business has taken to stop any further information leaking as well as securing the network will be key in reassuring those that are affected that the business is doing everything it can to protect them moving forward. This type of reassurance and transparency can save businesses whose customers may be hesitant to come back."

Organizations should also be on the lookout for attacks using the compromised data.

"Organizations affected by a third-party data breach should be on alert for targeted attacks and social engineering aimed at exploiting the human factor," Mannino said. "With access to financial information and the identity of employees, this is a good starting point for scams and social engineering focused on exploiting people."

Website users whose accounts have been caught up in a breach also need to take certain steps to protect themselves.

"Finding out that your personal or business information has been compromised in a data breach can be nerve-wracking, frustrating, and complex," Paunet said. "The first step anyone should take is to do a password cleanup. All accounts that are attached to sensitive payment information or business data should have their password and credentials updated immediately (if access is still available). This will mitigate some of the potential harm further down the road. Next, any person or business should contact financial institutions, alerting them of the breach and coming up with a plan for account monitoring and approval for any purchase from key accounts."

Also see

Data Breach concept

wildpixel, Getty Images/iStockphoto

By Lance Whitney

Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.