Woman using a phone next to laptop and paperwork

Protect Your Identity: SBA Website Bug Exposes Personal Information of Loan Applicants

On March 25, the Small Business Administration (SBA) discovered a programming error on its website that exposed the personal information, including social security numbers and addresses, of businesses applying for Economic Injury Disaster Loans (EIDL) to other EIDL applicants. The agency said it has corrected the website and notified the businesses that were impacted. As well, the agency said it will provide a year of credit monitoring to the affected organizations.

Cyber-criminals and hackers are likely to try to take advantage of the SBA EIDL website error. It is their habit to use such situations to wreak havoc on businesses and individuals through social engineering attacks such as phishing. Recently, the U.S. Department of Homeland Security (DHS), the Cybersecurity and Infrastructure Security Agency (CISA) and the U.K.’s National Cybersecurity Security Centre (NCSC) issued a joint alert regarding the growing use of COVID-19 related themes by malicious actors.

A few suggestions to help you protect your identity:

1. Scrutinize emails pertaining to COVID-19, the CARES Act, EIDL and PPP:

  • Would the entity that the email is “supposedly from” typically request personal information or account information via email?
  • Use “hover over” technique on the hyperlink contained in the email.
  • Carefully examine the resulting URL for the website/entity that will process the request.
  • Verify the request via a different method (i.e., phone or online chat instead of email).

2. Consider freezing your credit files:

  • A provision of the Economic Growth, Regulatory Relief and Consumer Protection Act eliminates the fees associated with freezing and un-freezing your credit files.
  • Consider how often your information is public and vulnerable and what purchases might impact your credit or warrant a credit check.
  • Learn more about freezing your credit files at the Annual Credit Report website. Follow these prompts:
    • Choose the “Protect Your Identity” tab.
    • Then choose “Security freeze basics” on the left-hand side of the screen.

3. Review your annual free credit report via the Annual Credit Report website:

  • It is authorized by federal law.
  • You are entitled to one free report from each of the following credit bureaus every year.
    • Equifax
    • Experian
    • TransUnion

4. If your bank offers it, enable Multi-Factor Authentication (MFA) for all your online financial accounts.

While these are easy steps to take to provide some protection, our list is hardly all-inclusive. As well, there is no comprehensive list of COVID-19-related malicious cyber activity. Individuals and organizations should remain alert to increased activity relating to COVID-19 and take proactive steps to protect themselves.

The HBK Risk Advisory group can answer your questions about identity theft and other cyber security matters. For more information, contact me at WHeaven@hbkcpa.com.

About the Author(s)
Bill Heaven is a Senior Manager in HBK’s IT Department and works out of the firm’s corporate office in Youngstown, Ohio. He specializes in cyber security, IT security, external IT audit, internal IT audit, IT consulting, software Development, IT governance, PCI-DSS, supply chain, system implementations and e-Commerce.
Hill, Barth & King LLC has prepared this material for informational purposes only. Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or under any state or local tax law or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. Please do not hesitate to contact us if you have any questions regarding the matter.