SBA Announces Disaster Loan Data Breach & How to Respond and Prepare

Submitted by Mueller Prost CPAs + Business Advisors 

On April 21, 2020, the Small Business Association (SBA) reported a potential data breach from March 25, 2020 on their website that handles Disaster Loan applications. The agency stated that approximately 8,000 business owners applying for economic injury disaster loans was potentially seen by other applicants. They indicated only the Disaster Loan Program was affected and not the Paycheck Protection Program, which did not begin until April 3rd and is handled by a separate system. The agency has contacted all owners whose information have been exposed and they will offer a free year of credit services to these owners. The Agency has also disabled the part of their system that exposed the data.

Steps every business owner should take if their company’s data has been exposed

Regardless of how the breach occurred, what data may have been exposed, and who exposed the data, there are steps that should be taken by a business owner or organization after being notified of a third-party data breach. When a breach of your data has occurred, you need to act timely and quickly. Your immediate response is necessary. Action should be taken within the first few hours of the notification of the breach. You need to limit any possible exposure. If you have a business continuity plan, now is the time to activate it. Even if you do not have a business continuity plan, we have outlined some immediate steps that should be taken as soon as you are notified of the breach.

What data has been exposed

Determine what type of breach has occurred, what data has been exposed, and by whom. Is there any sensitive data such as Personally Identifiable Information (PII) that has been breached? PII is defined as information that identifies a person or business. This includes full name, social security numbers, driver’s license, bank account numbers, financial statements or disclosures, and email addresses.

This is important for business owners, as their public data is already readily available. However, private data should not be readily available, and should be kept secure by any third-party that holds the data. You should also obtain confirmation of the breach and know the exact data that has been exposed. This will help in determining your course of action to protect possible misuse of that data.

Accept help from the breached organization

If they offer to help, accept their help, unless there are issues with their offer. They know more about what has occurred, what data was lost, how it was lost, and how they plan to remediate the situation so it will not happen again. This will help your organization repair possible damage, and take steps to protect your information from being further exposed. In most instances, the breached organization will offer credit reporting services for a period of time.

Change your online passwords

Immediately change your passwords used for online banking, financial statement and tax software, and other financial, vendor, supplier, or client information logins. While passwords may not have been breached, your accounts and activity may come under scrutiny by whomever obtained the data from the breach. You should always use a strong password scheme that has upper and lower case letters, numbers, and special characters when available. Additionally, if you have these, change your challenge questions and answers.

Never use the correct answer to your challenge questions – Example – Challenge Question – What was your first car – Answer – 1964 Chevy Malibu. Do not use the correct answer, instead use something that does not make sense for the question being asked. Like Baked Potato.

Monitor your accounts more frequently

While it is a good practice to monitor your accounts frequently and often, you may need to step it up by monitoring your accounts daily or weekly in case there is fraudulent or suspicious activity. It is always a good practice to stay alert for new activity and question anything that looks suspicious. Make sure to set time aside periodically (daily, weekly) to monitor your accounts. If you notice suspicious activity, immediately freeze your credit, or place a hold on new transactions.

Take Proactive Steps – Perform a Cybersecurity Risk Assessment

Cybersecurity risk assessments are key components of risk management, and their integration into enterprise risk assessments is critical to identifying the danger zones in your technology and effectively manage risk. A cybersecurity risk assessment can identify your current practices, point out gaps in your cybersecurity program, and develop a roadmap for increasing your cybersecurity diligence for protecting your and your client’s data. Regularly scheduled cybersecurity risk assessments should be a part of your risk management plans. If your business has not performed a technology risk assessment, or if an existing assessment is more than a year old, the time to begin is now.


While this particular breach of the SBA may have only exposed 8,000 disaster loan applications, it is important to note there are numerous data breaches every year that expose billions of records. The bad guys want money and knowledge. They get it by either stealing your data, holding your data for ransom, or destroying your processes. Protecting your organization’s data is a good business practice. Keeping your data safe, protecting your business processes, and eliminating risk requires an organization to be vigilant about the processes in place. Understanding what is at risk, where your data is, and how to protect that data will reduce the possibility of a data breach.

Leave a Reply

Your email address will not be published.