WASHINGTON -- Borrowing by U.S. small businesses fell sharply in August, data showed Wednesday, a sign firms were pausing to consolidate recent investments in their operations.
The Thomson Reuters/PayNet Small Business Lending Index fell 10.2 percent to 114.5 in the month from a more-than-seven-year high reached in July.
The index gauges borrowing by firms with $1 million or less in outstanding debt.
The drop brought the index 1.2 percent below its year-ago level. It was the first year-on-year decline since March 2013, but it followed a period of strong borrowing growth.
PayNet founder and President Bill Phelan said August's decline suggests small businesses are taking a break from the borrowing and investments of previous months to integrate new property or equipment in their operations.
In four of the five prior months, the index had double-digit gains from a year earlier, and Phelan said the drop didn't indicate any major changes in the economy.
"The report looks negative, but the reality is that after five consecutive months of strong increases, they're digesting those heavy investments. It means that small businesses are not over-investing," Phelan said.
The investments over the prior several months, he said, will lead to new jobs as businesses hire workers to run their newly purchased equipment or plants.
A separate PayNet index showed loan delinquencies inched up in August from the prior month. Delinquencies of 31 to 180 days, PayNet's broadest measure of late loan payments, applied to 1.58 percent of all loans made, compared with 1.55 percent in July.
PayNet collects real-time loan information such as originations and delinquencies from more than 250 leading U.S. lenders.
The 5 Worst Retail Data Breaches
Small-Business Borrowing Takes a Tumble in August
Affected: 56 million cards.
Duration of compromise: Five months.
Tactic: Malware was installed to skim payment card data; unclear how hackers found an entry into the company's network.
Analysis: "Home Depot's situation is not only a PR nightmare for the home improvement colossus, but it is becoming the poster child for poor security practices across the board. Based upon the enormity of their footprint and alleged poor security, I'm mystified that it took as long as it did for them to be breached. Clearly, they did not heed Target's Paul Revere moment with sufficient urgency."
Affected: 40 million payment card numbers and 70 million other pieces of customer data; 98 million people.
Duration of compromise: Nov. 30 to Dec. 15, 2013.
Tactic: Used credentials of a heating, ventilating and air conditioning vendor to get into Target's network to install the malware to point of sale systems.
Analysis: "In a nation where everything is super-sized, Target (TGT) was one of the first true big-box retailers thrust into the spotlight after their mega breach. While a number of their executive team members have walked the plank and their board is the target of litigation, and their bottom line and share price have taken a hit, the breach highlights the importance of scrutinizing every vendor's security practices – or at least looking into cyber insurance to mitigate the damage of a vendor caused breach. This was a Paul Revere moment for the retail industry. Unfortunately, recently announced retail mega breaches indicate that not enough organizations have taken it as seriously as they should have."
Affected: As many as 200 of its grocery and liquor stores and millions of cards; credit/debit account information possibly stolen.
Duration of compromise: Almost one month.
Tactic: Network access to system that processes transactions.
Analysis: "Little information about this breach has surfaced, but one can only suspect the tactic was similar to that of other big breaches -- POS malware. And according to Avivah Litan, a fraud analyst at information technology firm Gartner, when someone uses a debit or credit card, there's a one in five chance malware is capturing that information. Although Supervalu (SVU) execs say it's not clear if account information has been stolen, scary stats like this suggest otherwise."
Affected: 3 million customer credit and debit cards (they also had a breach in 2011 where skimmers were installed on about 70 POS systems and financial information was stolen). Affected systems contained certain payment card information, such as credit/debit card number and expiration date, about both Michaels and Aaron Brothers customers. The company says there is no evidence that other customer information, such as name, address or debit card PIN, was at risk in connection with this issue, however, current automated bank systems make it all to easy to change debit card pin numbers.
Duration of compromise: Two separate eight-month-long security breaches.
Tactic: POS malware.
Analysis: "Unfortunately, in the breach lottery Michael's hit the exacta -- old-school skimmers installed in the dead of night on their POS systems did the trick in the first breach, and the now-popular POS malware scorched them for a second time -- for 3 million. Two high-profile breaches in a couple of years isn't a goodwill builder for the craft giant."
Affected: Usernames and passwords of employees and users.
Duration of compromise: Unknown.
Tactic: The origin of the breach comes from hackers compromising a small number of employee log-in credentials, which gave access to eBay's (EBAY) corporate network. EBay says it is working with law enforcement and leading security experts to "aggressively" investigate the matter. Appears to be from a phishing email.
Analysis: "Sophisticated spear phishing scams can turn even the most savvy and sophisticated employee into an unwitting co-conspirator. Comprehensive, continuous security training for all employees, implementation of tough security protocols, use of intricate passwords and rigorous outside testing and monitoring can help avoid a reputation damaging breach."