A business owner discovered a federal loan had been funded in her company's name. The application had been submitted before she noticed. The funds had been collected, the debt was accruing, and her EIN, business address, and formation documents were all sourced from publicly accessible state filing records. She did not apply. She had no knowledge the loan existed until the federal inquiry arrived.
The exposure vector was not a hack. Nothing was breached. Every data point the fraudster needed was legally available to anyone who searched her business name in the state corporate registry. The EIN surfaced in a merchant registration. Her name appeared in a publicly indexed permit. Her operating address was listed in the LLC formation record. No system was compromised because no system needed to be. The information was already in the open.
What makes this a structural problem rather than a procedural one is the layering. Closing the exposure after the fact means identifying every public record that indexed the original data, understanding which databases pulled from those records, and determining which third-party aggregators have already distributed copies. Removing one record does not remove the trail. A small business owner who attempts this sequence without knowing the full surface area will miss nodes. Each missed node is a vector that remains open. The remediation architecture has to account for what the cleanup effort itself reveals, and that sequencing is not intuitive.
Every single triage story we publish is happening to real business owners in real time. The RuleDraft Small Business Isolation Manual was engineered for this exact reality.