Citizen Services

Lawmakers push for answers on SBA data leak

Despite a glitch that made headlines, the Small Business Administration had planned in advance to build tech tools to support legislative mandates for emergency business loans.

Small Business Administration Editorial credit: Jer123 / 

Lawmakers are seeking more information about the leak of personally identifiable information from thousands of applicants for loans through the Small Business Administration during the coronavirus pandemic.

Sens. Ben Cardin (D-Md.) and Marco Rubio (R-Fla.) and Rep. Nydia Velazquez (D-N.Y.) wrote to SBA Administrator Jovita Carranza on April 23 seeking "a complete accounting" about an incident in which personal data including income and Social Security numbers of at least 8,000 Economic Injury Disaster Loans were exposed.

SBA confirmed press reports that EIDL applicants may have had some of their data exposed to other applicants. An administration official told CNBC that "we immediately disabled the impacted portion of the website, addressed the issue, and relaunched the application portal."

A twitter user posted a copy of the SBA letter on April 17, which said the "inadvertent disclosure" of PII was discovered on March 25.

SBA tech officials had a short time to build applications to handle the anticipated crush of applicants for a number of financial relief programs, including EIDL and the website to help small business apply for Paycheck Protection funding – forgivable loans that incentivize businesses to retain employees during the current crisis.

"We had to build things quickly, including the lender gate way in eight days," said Maria Roat, SBA CIO, of its efforts to support the Paycheck Protection Program.

Roat, who spoke at an April 23 virtual event hosted by the Association of Federal Information Resource Managers, was not asked about the data leak in the EIDL portal, but did talk about some of the challenges faced by teams who have to build technology to support new legislative parameters.

Roat said SBA's IT operation was anticipating some of the additional duties the federal economic support package, but some of the details were a moving target.

For larger banks, the agency leveraged its existing portal for disaster loans and the PPP, she said, but SBA also had to work with a new cadre of small and medium-sized businesses.

"The regular portal for 1,800 lenders we work with was already up and running," she said as the COVID crisis rolled forward. SBA built the lender gateway for small and mid-sized businesses in eight days.

SBA along with Treasury and other agencies had been planning for Congress to pass a recovery bill since March.

"There was a lot of upfront planning. We had to watch legislation for particulars," she said.

Even though the agencies knew there would be money for the PPP program and disaster loans, the agencies didn't know until the legislation was approved about what the loan rules were, and how the money would be handled.

"That we had to respond to quickly," she said and ran "what if" scenarios in anticipation. While SBA does disaster loans as part of its core program activity, "what was different was large amount of money and how it is vetted and distributed," Roat said.

On the security side, Roat said, SBA worked on geofencing portalts to limit access to the United States and its territories.

Along with the external-facing portals, she said the agency has also beefed up internal support capabilities, with new staff to handle incoming calls and requests for online support.

About the Authors

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at [email protected] or follow him on Twitter at @MRockwell4.

Derek B. Johnson is a former senior staff writer at FCW.


  • Workforce
    Shutterstock image 1658927440 By Deliris masks in office coronavirus covid19

    White House orders federal contractors vaccinated by Dec. 8

    New COVID-19 guidance directs federal contractors and subcontractors to make sure their employees are vaccinated — the latest in a series of new vaccine requirements the White House has been rolling out in recent weeks.

  • FCW Perspectives
    remote workers (elenabsl/

    Post-pandemic IT leadership

    The rush to maximum telework did more than showcase the importance of IT -- it also forced them to rethink their own operations.

Stay Connected