An apparent rush to build an application to process COVID-19 relief loans created by the U.S. Small Business Administration (SBA) resulted in a data breach that exposed the personal information of 7,913 individuals on the SBA website.
The issue manifested itself early in the rush to apply for economic injury disaster loans, a program through which the U.S. government makes up to $2 million in emergency assistance available to businesses that have been adversely impacted by the COVID-19 pandemic.
The issue, however, only came to light this week. The SBA is now providing individuals impacted by the data leak with free access to services to check their credit scores for one year.
It is not clear to what degree that data might have found its way into the hands of cybercriminals, who could use the information to launch more targeted attacks against business owners. However, such breaches potentially provide cybercriminals with access to a treasure trove of data that would command a premium on the Dark Web.
The SBA has since remediated the issue that led to the breach, but Jack Mannino, CEO of nVisium, a consulting firm that specifically focuses on application security, said the issue appears to point to a bug in the application. Anytime any organization that is dependent on antiquated systems is required to build an application quickly, there invariably will be security issues, he noted.
One of the most common application security issues organizations encounter is that it is difficult to replicate a legacy production system in a test environment. Given the popularity of the loan program, testing to make sure the site can secure data at that level of scale was most likely not feasible, noted Mannino.
Mannino observed that many of the entities that applied for SBA relief are sizeable companies that have already had a target painted on their backs, so it’s probable some of this data is already in the wrong hands.
In theory, at least, the adoption of best DevSecOps processes should forestall similar cybersecurity issues from arising. However, no matter how much security is embedded with the application itself, organizations will need to upgrade the IT infrastructure on which those applications depend to ensure security. The challenge is most organizations cannot afford wholesale upgrade of their IT environments.
There will never be such a thing as perfect security, but there are just too many opportunities for mistakes to be made when building applications quickly on top of outdated infrastructure.
Of course, the issues being encountered by the SBA are not uncommon. Many organizations struggle with many of the same issues in a much less high-profile way. It’s not clear, however, if the SBA should be held accountable. It’s not likely a government agency is going to be fined by another government agency for a data breach. There undoubtedly will be a few lawsuits, but for now, the SBA seems to be following all the generally accepted processes organizations typically implement in the wake of a data breach. To what degree that satisfies the individuals affected remains to be seen.