Bank of America (BofA) has disclosed a data breach that affected a 'small number' of customers who had applied for the US Paycheck Protection Program (PPP).
In a letter to customers [PDF], Charlotte, Carolina-based BofA said that the breach occurred on 22nd April after loan applications of some clients were uploaded to the US Small Business Administration (SBA) test platform.
The purpose of the SBA test platform, according to the bank, was to enable authorised lenders to test the PPP applications and send them to the agency before the start of the second round of application process.
As a result of the data breach, other SBA-authorised lenders, as well as their vendors, were able to view some private data of applicants, including their business tax identification number, business address, owner's name, social security number, address, phone number and email address.
According to the bank, there is currently no evidence to suggest that the exposed information was misused by the lenders or their vendors.
"Your information was not visible to other business clients applying for loans, or to the public, at any time," the bank said.
Additionally, the breach "did not affect the actual submission of PPP loan applications to the SBA," it added.
Bank of America claimed that the data exposed in the incident was deleted from the test website on same day.
The company refrained from revealing specific details of clients affected in the data breach, stating only that the breach impacted a "small number" of customers.
The letter sent by BofA to customers was made public by the California Attorney General's office.
The bank has ordered an internal investigation to determine how customers' data was exposed through SBA platform. It is also offering affected customers two-year membership of Experian's identity theft protection programme at no extra cost.
Customers have been advised to review their monthly account statements thoroughly and report any suspicious activity to bank officials.
BofA also says that it is working closely with the US Treasury and SBA to process over 305,000 PPP loan applications with the SBA, providing over $25 billion in financial relief for small businesses in the US.
Budget carrier confesses to hack in January 2020, and has informed the Information Commissioner's Office
The Travelex ransomware raises the question, once again, of whether organisations should be obliged to provide more information
No zero-days patched in the latest release
Attack, which came as firm was preparing for Covid measures, was a 'perfect storm' CEO says
Make passwords at least 13 characters long and protect email with a strong passphrase, police advise
With Covid-19 related fraud through the roof it's time to review password policy, says South East Regional Organised Crime Unit