Lawmakers push for answers on SBA data leak

Lawmakers are seeking more information about the leak of personally identifiable information from thousands of applicants for loans through the Small Business Administration during the coronavirus pandemic.

Sens. Ben Cardin (D-Md.) and Marco Rubio (R-Fla.) and Rep. Nydia Velazquez (D-N.Y.) wrote to SBA Administrator Jovita Carranza on April 23 seeking "a complete accounting" about an incident in which personal data including income and Social Security numbers of at least 8,000 Economic Injury Disaster Loans were exposed.

SBA confirmed press reports that EIDL applicants may have had some of their data exposed to other applicants. An administration official told CNBC that "we immediately disabled the impacted portion of the website, addressed the issue, and relaunched the application portal."

A twitter user posted a copy of the SBA letter on April 17, which said the "inadvertent disclosure" of PII was discovered on March 25.

SBA tech officials had a short time to build applications to handle the anticipated crush of applicants for a number of financial relief programs, including EIDL and the website to help small business apply for Paycheck Protection funding – forgivable loans that incentivize businesses to retain employees during the current crisis.

"We had to build things quickly, including the lender gate way in eight days," said Maria Roat, SBA CIO, of its efforts to support the Paycheck Protection Program.

Roat, who spoke at an April 23 virtual event hosted by the Association of Federal Information Resource Managers, was not asked about the data leak in the EIDL portal, but did talk about some of the challenges faced by teams who have to build technology to support new legislative parameters.

Roat said SBA's IT operation was anticipating some of the additional duties the federal economic support package, but some of the details were a moving target.

For larger banks, the agency leveraged its existing portal for disaster loans and the PPP, she said, but SBA also had to work with a new cadre of small and medium-sized businesses.

"The regular portal for 1,800 lenders we work with was already up and running," she said as the COVID crisis rolled forward. SBA built the lender gateway for small and mid-sized businesses in eight days.

SBA along with Treasury and other agencies had been planning for Congress to pass a recovery bill since March.

"There was a lot of upfront planning. We had to watch legislation for particulars," she said.

Even though the agencies knew there would be money for the PPP program and disaster loans, the agencies didn't know until the legislation was approved about what the loan rules were, and how the money would be handled.

"That we had to respond to quickly," she said and ran "what if" scenarios in anticipation. While SBA does disaster loans as part of its core program activity, "what was different was large amount of money and how it is vetted and distributed," Roat said.

On the security side, Roat said, SBA worked on geofencing portalts to limit access to the United States and its territories.

Along with the external-facing portals, she said the agency has also beefed up internal support capabilities, with new staff to handle incoming calls and requests for online support.