Bank of America blames PPP application leak on faulty SBA test server

Image: Erol Ahmed, Bank of America, ZDNet
Bank of America this week revealed a security incident that impacted its online platform for processing loan applications filed by U.S. companies for the Paycheque Protection Program (PPP), a COVID-19[feminine fonds de secours mis en place par le gouvernement américain.
La banque affirme que les informations concernant certaines entreprises qui ont demandé des prêts le mois dernier pourraient avoir été consultées par d’autres prêteurs (banques) ou organisations.
Les informations qui pourraient avoir été consultées par d’autres personnes comprennent l’adresse professionnelle, les coordonnées et le numéro d’identification fiscale (NIF), mais également des détails sur le propriétaire de l’entreprise, tels que le nom, l’adresse, le numéro de sécurité sociale, le numéro de téléphone, l’adresse e-mail et la citoyenneté.
Bank of America attribue un incident au serveur de test SBA
La banque a imputé tout l’incident à une plateforme de test gérée par la US Small Business Administration (SBA), l’agence gouvernementale chargée de traiter et d’approuver les demandes de prêt PPP déposées par la banque au nom de ses clients.
“Cette plateforme a été conçue pour permettre aux prêteurs agréés [such as Bank of America] to test the process for submitting PPP applications to the SBA before the actual submission process, ”the bank said this week.
Bank of America (BofA) said PPP loan applications submitted on this test server are visible to other parties with access to the test platform.
BofA said this happened on April 22 and contacted the SBA to remove its customers’ data from the testing platform the same day.
However, there might be more to it than it looks. At the beginning of April, ZDNet received a tip from one of our readers about issues with the BofA backend for processing PPP loans.
BofA customers who submitted a PPP loan request reported instances where they looked at another customer’s details when logging in at a later date to review the status of their request.
Image: Thomas Fuchs
It is not known if this incident is related to the problem with Bank of America’s “SBA test platform”. disclosed this week, or an entirely different problem. A Bank of America spokesperson did not return a request for comment last month.
BofA hasn’t had the smoothest experience with the SBA’s COVID-19 PPP relief fund efforts. The bank has been criticized for its confusing design (user experience, UX) for the PPP application process, and was sued in California to prioritize PPP loan applications from large companies over those submitted by small companies.