PPP loan data leak

Orion G.

Wong

Tech integration

13/3/2022

PPP loan data leak

On April 22nd. Of 2020, data of business owners was leaked by the Bank Of America. They reportedly uploaded large amounts of data relating not just to other small businesses, but also the personal information of the owners to the US Small Business Administration's test platform. The Bank Of America specifically uploaded PPP (Paycheck Protection Program) applications from business owners. They were supposedly viewable by lenders for a day(3).

There unfortunately probably wasn’t much these businesses could do to avoid this. The problem was completely on the bank’s end, and many small businesses relied on the extra money during the 2020 pandemic.

The specific data leaked was the names of business owners, tax, or address identification numbers, phone numbers, citizenship status, emails, social security numbers, and addresses. The PPP loan, by this point, had over 650 Billion dollars in funding, and there were over 305,000 businesses planned to get the loan(3). This data was visible to lenders to the program, as well as their vendors. The information didn’t get released to the public, or other businesses directly, and the Bank Of America denied information got out to the public(2).

Notably, the bank didn’t disclose what financial losses this error caused, but insisted it was little. (3). Reportedly, a spokesman said "There is no indication that your information was viewed or misused by these lenders or their vendors. And your information was not visible to other business clients applying for loans, or to the public, at any time”(2). This is a concerning look into how banks can potentially cause large problems for businesses, and not the first time the Bank Of America has done something like this. In early 2013, 14 gigabytes of data was leaked. The Anonymous Intelligence Agency reported that "The data was retrieved from an Israeli server in Tel Aviv". Clearforest, a company that provides data, and business analytics in Tel Aviv reportedly stored the data on a public server. They were funded by the Bank Of America, which bodes bad for their security(1).

1. Kitten Tracy. BofA Confirms Third-Party Breach. Bank info security. ISMG network. March 5th. 2013. https://www.bankinfosecurity.com/bofa-confirms-third-party-breach-a-5582. March 9th. 2022.

(2) Coble, Sarah. Data Breach at Bank of America. Info security. Info security group. May 27th. 2020. https://www.infosecurity-magazine.com/news/data-breach-at-bank-of-america/. March 9th, 2022.

(3) Hudson, Caroline. Bank of America reveals data breach in PPP application process. Charlotte business journal. The business journals. May 26th. 2020. https://www.bizjournals.com/charlotte/news/2020/05/26/bank-of-america-discloses-ppp-data-breach.html. March 9th. 2022.