Jay Warren was frantically trying to submit an online loan application under the Paycheck Protection Program (PPP), but the site he was accessing at lendioapply.crossriversba.com/ kept timing out. He says he tried to reload the application some 30 times and still had no luck. When a page finally appeared, he found something even more troubling: he was staring at the application of a stranger who lived 1,200 miles away.
The first page he saw displayed the name, email address, and business phone number of the person. When Warren clicked to the next page, he saw the last four digits of the woman’s social security number and her business address. Knowing that the application required an amount of other sensitive information—including disclosure of any criminal history, average monthly salary, a driver’s license scan, a scan of a voided check, a proof of payroll form, and, optionally, the most recent tax return—Warren stopped there.
“If I had kept clicking on, who knows what I would have seen,” said Warren, who lives in Tucson, Arizona. “I felt weird about it, so I got out of it.”
Warren then called Kelley Jacobs, the Illinois-based woman whose information had appeared on his screen. He told her what had just happened and asked if she had seen his information. She said she hadn’t but that, like him, she had been experiencing maddening website glitches as she was trying to complete her PPP application.
The service facilitating the online loan application process was provided by Lendio, a company that matches borrowers with lenders around the US. The financial institution in this case was Cross River of Fort Lee, New Jersey.
Because Lendio had been the entity that emailed both Warren and Jacobs the link to the application, both of the applicants called Lendio’s customer service department and explained what happened. On Tuesday, more than 24 hours after the mishap, a Lendio representative sent a response.
“We have confirmed there are no glitches or data breaches on Lendio’s site,” the representative wrote. “We do not believe that your data was shared on Lendio’s end.”
The email went on to offer Jacobs a year’s worth of credit monitoring at no cost. It also directed her to resubmit her application and this time use a different lender.
In a statement issued after this post went live, officials wrote:
Lendio confirms that the computer anomaly did not occur on Lendio’s website. Protecting every customer’s personal information is of utmost importance to Lendio. We work with hundreds of financial institutions nationwide and trust that each one values data security at the highest level.
Cross River officials issued their own statement:
Safeguarding information is essential to our mission and our role as a financial institution as we process and originate tens of thousands of loans to small businesses across the country impacted by Covid 19. Monday, there was a computer anomaly whereby one small business applicant’s name, email, address, phone number, and the last four SSN digits were shared with one other applicant. We performed a thorough investigation in conjunction with our partners and are working to ensure this remains an isolated incident.
Lendio representatives didn’t respond to an email seeking comment for this post.
Twitter messages mentioning Lendio indicate that the service has been racked by a series of performance problems over the past few days that are preventing many people from submitting loan applications. It’s likely that Cross River is experiencing the same crippling strain.
This is likely the result of Tuesday’s resumption by the US Small Business Administration in accepting loan applications under the PPP. The program has attracted a torrent of people applying for loans after suffering business shutdowns caused by the coronavirus pandemic. That said, there’s a difference between a site falling over and one that presents one user’s sensitive data to a complete stranger who also happens to be using the same site.
There’s not much people can do to protect themselves in the latter situation. Stronger passwords and other good security hygiene won’t save you. Website security scanning tools like this one or this one don’t hurt, but in this case, they found the loan application URL to be low risk. And given social distancing, people seeking loans amid an unprecedented economic crisis have little alternative but to apply online. About the only refuge one can take is to monitor credit reports frequently and whenever feasible, place a credit freeze with all four major credit reporting agencies.
Post updated to add comment from Lendio.