Bank of America accidentally exposed the personal details of applicants applying for loans from the Paycheck Protection Program during a test submission to the US Small Business Administration system.
Bank of America notified the California Attorney General's office of the breach, which occurred on 22 April.
The bank has not disclosed the number of customer impacted by the leak, although it says it has processed 305,000 PPP relief applications with the SBA.
"During testing, we discovered information included in your application may have been visible for a limited time period to a limited number of other lenders and their vendors authorized by the SBA to participate in the program," the bank wrote in its filing. "There is no indication that your information was viewed or misused by these lenders or their vendors. And your information was not visible to other business clients applying for loans, or to the public, at any time."
Nonethless, the bank is offering all impacted customers complimentary two year membership in an identity theft protection service provided by Experian. It is also advising clients to scan credit reports and account statements over the next 12 to 24 months for unauthorised transaction or instances of identity theft.
Data exposed included business address and tax identification number, and personal information such Social Security Number, phone number, email address and citizenship.
In March, the SBA reported that a flaw in an online application portal for its Economic Injury Disaster Loan programme exposed the personal data of approximately 8,000 loan applicants.