Bank of America is informing of its customers about a third-party services provider’s data breach resulted in the theft of some customers’ personal information.
57,000 clients of Bank of America are receiving notice letters informing them that a data breach at Infosys McCamish System (IMS), a third-party services provider, resulted in the theft of their personal information.
The incident was made public on November 3, 2023, when Infosys, the parent company of IMS, reported to the US Securities and Exchange Commission that it had been the target of a cyberattack that caused numerous of its systems and apps to go down.
The company notified the SEC on January 11 that all affected systems had been restored by December 31 and that the incident’s losses were anticipated to be $30 million. The business also mentioned the possibility of additional expenses like indemnities or damages/claims.
“McCamish believes that certain data was exfiltrated by unauthorized third parties during the incident and this exfiltrated data included certain customer data,” the company said.
Customers began receiving notifications from Bank of America on February 1st, informing them that the IMS problem may have affected “data concerning deferred compensation plans serviced by Bank of America.”
Bank of America stated in the letter—a copy of which was sent to the Maine Attorney General’s Office—that it is unable to say “with certainty what personal information was accessed” during the attack.
Names, addresses, dates of birth, Social Security numbers, corporate email addresses, and other account information, however, might be included in deferred compensation plan data.
“Although we are not aware of any misuse involving your information, we are notifying you that Bank of America will provide a complimentary two-year membership in an identity theft protection service,” Bank of America said.
The LockBit ransomware gang released the data purportedly taken from IMS on November 4 and claimed responsibility for the attack, despite neither IMS nor Bank of America disclosing anything about the nature of the cyberattack.
The family of Rishi Sunak’s wife, the owner of Infosys McCamish Systems (IMS), a subsidiary of the Indian consulting giant Infosys, suffered a security breach last November when “an unauthorised third party” gained access to the company’s network.
The data breach report from Bank of America states that IMS delayed 21 days to inform the bank that “data concerning deferred compensation plans serviced by Bank of America may have been compromised.” The systems of Bank of America were not breached.
IMS was unable to provide specific details on the personal information that was involved, but according to Bank of America, “deferred compensation plan information may have included your date of birth, Social Security number, first and last name, address, business email address, and other account information.”
Information provided to the Texas Attorney General indicates that credit card numbers and account numbers may have been part of the “other account information”. Meanwhile, almost 57,000 persons were directly impacted by the incident, according to a filing made with the Maine Attorney General.
That is a vanishingly small number when you consider that Bank of America serves about 69 million customers in 35 different countries. But any data breach could be reason for concern, particularly if it involves sensitive financial data.
We have discussed the issue with IMS and the bank. Bank of America declined to comment, and its service provider has not yet responded.
LockBit took ownership of the attack that occurred on November 4th of last year.
The consequence of the hack, according to Oz Alashe, CEO of CybSafe, “emphasizes how increasingly connected the financial services are becoming as the sector continues to digitize.” While he recognized the advantages of this kind of arrangement, he also pointed out the risks involved in entrusting a third party with client information.
“Cybersecurity is not a problem that is “in-house,” but rather one that depends on many different organizations, including software platforms, cloud services, payment processors, and IT vendors.
“Financial institutions and their partners must move beyond compliance and tick-box exercises, fostering an active security consciousness that encourages positive security behaviours.”
As for DigitalXRAID, its CEO and co-founder Rick Jones issued a warning, saying, “What we’re seeing here may be just the start of yet another hugely significant incident in cyber industry, and what should be a watershed moment for software security.”
ALSO READ: Unveiling the Secrets of the Nikkei 225: A Comprehensive Guide for Investors
ALSO READ: Bernstein keeps Lyft’s price objective at $14 and notes that a Q4 report is pending
