Bank of America Corporation (BofA), the second-largest banking institution in the U.S., confirmed this week that a possible data breach may have affected a “small number” of business clients who have applied for the Paycheck Protection Program (PPP).
For those unaware, PPP is a U.S. government initiative that was launched on April 3, 2020 to provide economic relief to small businesses and certain other entities that have been adversely impacted by the COVID-19 pandemic.
The data breach confirmation notice filed with the California Attorney General’s Office revealed that the incident took place on April 22, 2020, when Bank of America (the Bank) uploaded some clients’ loan application information to the U.S. Treasury and Small Business Administration (SBA) test platform.
SBA’s test application platform was designed to allow authorized lenders to test the process for submitting PPP applications to the SBA prior to the actual submission process. The Bank has processed more than 305,000 PPP relief applications with the SBA, providing more than $25 billion in financial relief for small businesses in need.
According to the Bank, the application may have been visible for a limited period to other SBA-authorized lenders and their vendors. The exposed information could include customers’ business details like business address and tax identification number (TIN), as well their personal information such as name, address, Social Security Number, phone number, email address and citizenship status.
However, there is currently no indication that the information was viewed or misused by any of the participating lenders or their vendors. Additionally, the information was not visible to other business clients applying for loans, or to the public, at any time.
Upon discovering the breach, the Bank requested and confirmed the removal of the information from the SBA’s test website the same day. Also, there was no impact on the actual submission of PPP loan applications to the SBA.
Currently, the Bank is conducting its own internal investigations to determine how the data came to be exposed. It did not disclose how many customers were affected or how many lenders were using SBA’s test application platform on April 22nd.
To offset the incident, Bank of America is offering a complimentary two-year membership in Experian’s identity theft protection program (including daily credit monitoring) for free to the affected customers.
“Keeping your information confidential is one of our most important responsibilities. We are notifying you so we may work together to protect your personal and business information,” the Bank said in the filing.
As a precautionary measure, the Bank has advised its customers to promptly review their credit reports and account statements over the next 12 to 24 months and notify them of any unauthorized transactions or incidents of suspected identity theft related to your accounts with the Bank.
For more safety tips, customers can also visit Bank of America’s privacy and security center page.