This week, the Bank of America revealed that personal data of some of its customers may have been exposed when they uploaded their Paycheck Protection Program (PPP) loan application to the bank’s testing platform.
According to a notification letter filed with the California Attorney General’s Office, “on April 22, the Bank uploaded some clients’ loan application information to the SBA’s test application platform, which authorized lenders and their vendors also use to test their loan submission processes”.
During the uploading, the organization discovered that the information included in the PPP loan application may have been visible, “for a limited period of time,” to other “lenders and their vendors authorized by SBA to participate in the program.”
Among the information that may have been viewed, bank officials listed the following:
• Business owner name, address, Social Security number and citizenship
• Business address, contact information and tax identification number (TIN)
Bank of America did not disclose the number of impacted clients. However, it did say that, ”more than 305,000 Paycheck Protection Program (PPP) loan applications with the SBA” have been processed, “providing more than $25 billion in financial relief for small businesses in need.”
“There is no indication that your information was viewed or misused by these lenders or their vendors,” the bank added. “And your information was not visible to other business clients applying for loans, or to the public, at any time.”
What safety measures has the bank implemented? Besides conducting an internal investigation to minimize any financial impact for applicants, Bank of America “has arranged for a complimentary two-year membership for an identity theft protection service.”
What can affected business owners do? The bank recommends for applicants to review their credit reports and account statements over the next 24 months, and notify bank officials of any suspicious or unauthorized transactions related to Bank of America accounts.
Additional precautionary measures are also advised:
• Don’t provide personal identifiable information over the phone or online unless you have previously identified the identity of the individual
• Shred any pre-approved credit offers to which you do not respond
• Regularly change existing passwords and PIN numbers for your accounts
• Immediately report stolen or lost credit or debit cards