Statement: SBA data breach puts business owners at risk of ID theft and other fraud

Media Contacts

U.S. PIRG Education Fund

WASHINGTON — The Small Business Administration (SBA) announced Tuesday that the personal information of nearly 8,000 business owners applying for federal disaster loans had been exposed. The breach affects applicants to the Economic Injury Disaster Loan program (EIDL), and may have included names, Social Security numbers, addresses, birth dates, email addresses, phone numbers, citizenship statuses and insurance information.

Mike Litt, U.S. PIRG Education Fund Consumer Campaign director, issued the following statement in response:

“Business owners who applied for these emergency loans are going through a lot already. The last thing they need is to have to worry about fraud. This isn’t just a ‘watch out for phishing’ data breach. The SBA’s data breach now puts these applicants at risk of identity theft, Social Security benefits fraud, tax refund fraud, medical services fraud, and possibly insurance fraud. 

“Offering a free year of credit monitoring isn’t enough. The SBA needs to clearly explain to those exposed in this breach that they are at risk, spell out what they can do to protect themselves, and above all, make sure this doesn’t happen again.

“With just your name and Social Security number, an ID thief can open a new credit account in your name. Credit monitoring will only alert people after a fraudulent account has been opened. The best way to prevent a fraudulent account from being opened in the first place is by getting free credit freezes at the national credit bureaus. 

“Because birth dates were also exposed, applicants affected by this breach are also at risk of Social Security benefits, tax refund and medical services fraud. Also, depending on what insurance information was exposed, people might also be at risk of insurance fraud.”

U.S. PIRG Education Fund recommends the following steps for these types of fraud:

  • Health Care Services/Medical Benefits Fraud: Sign up for online accounts with your health care and insurance providers to periodically check for any fraudulent services on your statements.

  • Phishing Scams: Ignore unsolicited requests for information by email, links, phone calls, pop-up windows or text messages.


U.S. PIRG (Public Interest Research Group) Education Fund, is an independent, non-partisan group that works for consumers and the public interest. Through research, public education and outreach, we serve as counterweights to the influence of powerful special interests that threaten our health, safety or well-being.