Small Business Administrator: Sudden ‘Back’ Attack

April 29, 2020
Small Business Administrator SBA data leak compromised data privacy infosec security information security

Last month on the 25th of March. The U.S Small Business Administrator (SBA) had a defect on the online submission of applicants for the Economic Injury Disaster Loans (EIDL) as disclosed by Jovita Carranza. This type of loan was offered typically to Small Businesses that suffered losses due to different known disasters in America. The loan is the government’s aid to help these capitalists to start their businesses after their inevitable failure. With the recent amendment on the CARES Act that governs this project, a company can be given a loan wherein the $10,000 of it does not need to be paid back.

The issue was confirmed due to a caching problem in the application system. The leak was instigated after an applicant clicks on the BACK button to go back to the previous page of the application form. Instead of getting back to the way they recently filled up with personally sensitive information, they were landed on a similar page of the application. However, it contains data from other people who also applied at Small Business Administrator for the same benefits.


In this view, other people can see critical information such as Full Names, Dates of Birth, Addresses, Contact numbers, Social Security Numbers, and Financial histories of other Small Business Administrator loan applicants. With this vital information, any hacker who can get access to this information can perform vast fraudulent acts on behalf of the victim.


Not too long ago, a similar case happened to a Valve – Steam Store for gamers wherein a Distributed-Denial of Service (DDoS) was invoked on Christmas Day. The same situation wherein cached information was accessed by other people who hit the ‘back’ button on their purchase, leaking sensitive information. This issue happened due to a system update they deployed that time to resolve their current issue with a large volume of traffic because of peak season purchase. But the update only made it worse.

The above case similarity was observed to happen with the loan’s application portal. Since businesses took a painful hit due to the pandemic crisis, the large volume of business loan applicants tried to submit their claims, but the system was unable to support it.

Fortunately, both dilemmas were immediately addressed, and regular operations resumed afterwards. But in spite of these actions, the government is still under scrutiny by the public. In response to those who have had their information leaked, the government has offered them a credit monitoring plan to mitigate any possible fraud and risk issues.

Currently, no new applications are being entertained for the said benefit due to budget deficits. The number of applications they have already received is far more than the allotted budget.

About the author

Leave a Reply