Bank of America is warning customers that their data may have been breached following a cyber attack on Infosys McCmamish Systems (IMS) – one of its third-party service providers
IMS, a subsidiary of the Indian consulting firm Infosys, was breached last November when an “unauthorised third party” infiltrated its network.
According to Bank of America's data breach notification, it took the firm three weeks to notify the bank that "data concerning deferred compensation plans serviced by Bank of America may have been compromised."
Bank of America's own internal systems were not compromised as a result of the hack. But its reliance on IMS for managing deferred compensation plans meant that some customer data was stored in IMS’ systems due to its role as a third-party service provider.
While IMS could not say exactly what personal information was involved, Bank of America revealed that the stolen data included "deferred compensation plan information may have included your first and last name, address, business email address, date of birth, Social Security number, and other account information."
The large bank has around 69 million clients at over 3,800 retail financial centres and through approximately 15,000 ATMs in the United States, its territories, and more than 35 countries.
While the banking giant has yet to disclose how many of these customers were impacted by the data breach, an IMS breach notification letter filed with the Attorney General of Maine on behalf of Bank of America revealed that a total of 57,028 people were directly impacted.
"On around November 3, 2023, IMS was impacted by a cybersecurity event when an unauthorized third party accessed IMS systems, resulting in the non-availability of certain IMS applications," that notification reads
"On November 24, 2023, IMS told Bank of America that data concerning deferred compensation plans serviced by Bank of America may have been compromised. Bank of America's systems were not compromised. It is unlikely that we will be able to determine with certainty what personal information was accessed as a result of this incident at IMS.
"According to our records, deferred compensation plan information may have included your first and last name, address, business email address, date of birth, Social Security number, and other account information.”
A third-party data breach
The November security breach on IMS led to a "non-availability of certain applications and systems in IMS," as was revealed when the incident was first disclosed in a filing with the US Securities and Exchange Commission.
On November 4th, the LockBit ransomware gang claimed responsibility for the hack, saying that its operators encrypted over 2,000 systems during the breach.
Details shared with the Attorney General of Texas soon after show that the data stolen may have included account and credit card numbers. Another filing with the Attorney General of Maine shows more than 57,000 people were directly affected by the incident.
Considering Bank of America serves around 69 million customers across 35 countries, that is a vanishingly small number. Still, any security incident – especially of sensitive financial information – is a cause for concern.
The bank said it would provide a complimentary two-year membership in an identity theft protection service to keep the affected customers’ data out of the hands of malicious actors.
The Impact of the Bank of America Data Breach
Bank of America customers' financial account information, credit card, social security, and other unique government-issued identification numbers handled by leading accounting firm Ernst & Young were also exposed after the service provider's MOVEit file transfer software was breached by the Clop ransomware gang last year.
"Bank of America has informed us that its systems and servers were not impacted by this event," Ernst & Young said at the time.
But Oz Alashe, CEO of CybSafe, said the attack's impact "emphasises how increasingly connected the financial services are becoming as the sector continues to digitise."
"Cybersecurity is not an ‘in-house' issue, but one dependent on a series of organisations, from IT vendors and payment providers to cloud services and software platforms," commented Alashe.
"Financial institutions and their partners must move beyond compliance and tick-box exercises, fostering an active security consciousness that encourages positive security behaviours."
Sylvain Cortes, VP of Strategy at Hackuity, said banks are at increased risk of cybercrime due to being increasingly reliant on third parties.
“Commercial pressures are driving banks to digitise their services which makes them ever more reliant on service providers. But this also means that their providers become a significant point of security exposure. In cruder terms, their supply chain is their problem to manage.
"It’s not just that banks are under attack. Risk cascades down through any service provider, supplier, or partner that holds or processes their sensitive data and who is also a prime target."
"Particularly in light of DORA and future regulations, this incident is another wake-up call of the small ‘degrees of separation’ in our complex supply chains: any weak links expose banks – and their customers’ data – to significant risk.”
If you think your data might be exposed, Bank of America advises that you: “promptly review your credit reports and account statements over the next 24 months and notify your financial institution of any unauthorized transactions or incidents of suspected identity theft.”
Tech Show London is the UK's most important technology event for business happening on 6-7 March 2024 at ExCeL London.
Be a part of the latest tech conversations at the Mainstage Theatre and discover pioneering innovations on the exhibition floor. You won't want to miss one of the most exciting technology events of the year where thousands of business leaders and influencers will be in attendance.
By registering your interest to attend Tech Show London 2024, you'll gain exclusive access to all Mainstage content from the 2023 event! Tech Show London brings together five leading technology events: Cloud Expo Europe, DevOps Live, Cloud & Cyber Security Expo, Big Data & AI World, and Data Centre World.
One ticket gets you free access to all five shows on 6-7 March 2024 at ExCeL London.