Bank of America Corporation has disclosed a data breach affecting clients who have applied for the Paycheck Protection Program (PPP).
As a part of relief strategies to alleviate financial issues caused by the COVID-19 pandemic, and help businesses remain afloat, Small Business Administration (SBA) launched the Paycheck Protection Protocol (PPP), a program that gives loans to businesses to keep their workforce employed.
Small businesses with less than 500 employees, non-profit organizations, veteran organizations, etc., are among the few qualified for this scheme. As expected, many applicants sent in their application, bearing personal data, to the Bank of American Corporation. The number of applications processed by the Bank of America with the SBA is impressive and exceeds 305,000.
Client information was exposed on the 22nd of April; the bank uploaded the PPP’s applicant details onto the US Small Business Administration’s test platform. This was done to offer lenders a test trial of PPP submissions protocols before subsequent applications came in.
The Bank of America, which has its headquarters in Charlotte, North Carolina, disclosed that it had filed a breach notification document with the California Attorney General’s office. The breach of clients’ data prompted this. The compromised data included both personal (client’s name, address, telephone number, email, citizenship status), as well as business-related information (tax identification number, social security number).
In the breach notification document, a spokesperson for the bank said; “There is no indication that these lenders or their vendors viewed or misused your information. And your information was not visible to other business clients applying for loans, or to the public, at any time.”
The bank says that the cybersecurity mishap didn’t affect the PPP application and submission processes. They launched an internal investigation to determine how the data came to be exposed.
The bank, however, has not been forthcoming with the specifics as to how many applicants were affected; but they added that access to data was minimal.
SBA-authorized lenders and their vendors were able to view clients’ information as a result of the breach; but the SBA was quick in action as they resecured the compromised data in just twenty-four hours.
To compensate the clients; the Bank of America is offering clients affected by the breach free two-year membership of Experian’s identity theft protection program.