Business clients applying for Paycheck Protection Program (PPP) loans with Bank of America may have had their personal and business information exposed in a data breach, according to a letter the bank sent to affected customers.
The data breach occurred on April 22 as Bank of America uploaded customers’ PPP loan applications to the Small Business Administration’s (SBA) online testing system, which allowed lenders to test application submissions. During the testing process, Bank of America said application information was potentially visible to other lenders and their third-party vendors.
The exposed data included both business and personal information for clients. The affected business data may include business names, addresses and tax identification numbers. Affected personal data may include names, addresses, Social Security numbers, phone numbers, email addresses and citizenship information.
The impacted applicants were spread across multiple states, but the total number was relatively small according to Bank of America. The bank asked the SBA to remove the visible information the same day the breach was discovered. Application statuses were not affected by the breach.
Although other lenders and vendors may have had the ability to view application details, Bank of America stated there is no evidence that they did so.
This is not the first data breach related to the SBA. In March, nearly 8,000 applicants for the Economic Injury Disaster Loan program had their application details exposed, with personal and business data available to be viewed by other applicants.