This Week in Data Breaches: Personal Information of Emergency Loan Applicants Exposed in SBA Data Leak

Welcome to this week’s round-up of the latest in data breaches, leaks, and privacy intrusions. This week: personal information of thousands of emergency loan applicants exposed in SBA data leak, 2.5 million credit cards compromised in a massive leak at a payment startup, and a sophisticated phishing attack on oil producers amid the global oil shock.

SBA Exposed the Personal Information of Thousands of Emergency Loan Applicants

Nearly 8,000 emergency loan applicants who applied for the Small Business Administration’s (SBA) Economic Injury Disaster Loan program (EIDL) in March may have had their personal information exposed.

The SBA recently expanded its EIDL program and rolled out the new Paycheck Protection Program (PPP) to provide financial relief to companies struggling amid the coronavirus pandemic. The technical glitch in the SBA’s application portal, which inadvertently disclosed personal information to other applicants, came as the agency was dealing with a surge in applications by small businesses for emergency loans. Exposed information included names, Social Security numbers, addresses, birth dates, email addresses, phone numbers, and insurance information.

According to the SBA, there have been no signs of misuse stemming from the exposure. In a statement, a spokesperson for the SBA said, “We immediately disabled the impacted portion of the website, addressed the issue, and relaunched the application portal.” The SBA has notified affected businesses and offered one year of free credit monitoring.

Oil Producers Targeted by Hackers Amid Global Oil Shock

ArsTechnica reported this week on a sophisticated spearphishing campaign launched against oil producers aimed at siphoning off sensitive data and communications. The attack comes as the world faces an unprecedented oil shock, with the price of oil falling precipitously as demand has cratered and producers have been left with a glut of oil and lack of storage capacity.

The first campaign of phishing emails, sent under the guise of the Engineering for Petroleum and Process Industries, began on March 31 and targeted nearly 150 energy companies. In the email, the attackers asked for the companies to submit bids for a real project run by an Egyptian state oil company. Attached to the email were two files that contained malicious malware disguised as contracts and forms needed for the bid.

According to researchers, the emails were so convincing that the attackers most likely have intimate knowledge of the oil projects and experience in the industry. A second campaign was launched on April 12, this time targeting shipment companies in the Philippines. Again, what set the campaign apart was just how legitimate the emails seemed given the accuracy of the information. It seems likely, given the timing, that the campaigns were an attempt to glean insights into negotiations between oil producers as Russia and Saudi Arabia clashed over production cuts.

The phishing campaign primarily targeted US companies, but the emails were also sent to companies in the UK, Ukraine, Latvia, Romain, and Iran. This latest attack is a reminder of the degree of sophistication that hackers have reached in targeting companies for all sorts of nefarious reasons. Phishing attacks are one of the most effective methods for hackers to gain access to devices and siphon off data. Learning how to spot signs of these types of attacks remains one of the most important steps you can take to protect yourself or your company.

2.5 Million Credit Cards Compromised by Paay Data Leak

Paay, a payments processor startup, exposed 2.5 million credit card transactions with a publicly accessible database. The massive database was left unsecured for nearly three weeks before it was taken down.

Paay co-founder Yitz Mendlowitz told TechCrunch, “On April 3, we spun up a new instance on a service we are currently in the process of deprecating. An error was made that left that database exposed without a password.” The publicly accessible database was discovered by security researcher Anurag Sen. Paay failed to secure the database with a password, making it accessible to anyone who came across it.

According to TechCrunch, each credit card transaction contained the full credit card number in plaintext, expiration date, and transaction amount. However, the exposed transactions did not include names or CVV codes.

Make sure to check out our in-depth security and privacy guides:

• How to Take Control of Your Credit
• How to Protect Your Phone
• How to Protect Your Identity
• How to Protect Your Privacy
• The Ultimate Guide to Data Breaches

Bloom: Your Data, Your Credit, Your Privacy

At Bloom, we are giving you the tools to take back control of your data all in one simple app. No more centralized data storage. No more selling off your data to the highest bidder. Bloom enables you to own, control, and protect your data using the latest advancements in blockchain technology.

It’s time to take back control of your data and unlock the power of a secure identity today. Download the Bloom mobile app to protect your identity, monitor your credit, and get free data breach alerts with Radar!