Bank of America, one of the largest financial institutions in the United States, is alerting customers to a recent data breach that exposed their personal information. The breach is connected to Infosys McCamish Systems (IMS), a service provider for Bank of America, which fell victim to a cyberattack last year.
According to information shared with the Attorney General of Texas, the data breach compromised sensitive customer data, including names, addresses, social security numbers, dates of birth, and financial information such as account and credit card numbers. Bank of America, serving approximately 69 million clients across various platforms, declined to comment on the matter when approached for further details.
The breach notification letter filed with the Attorney General of Maine revealed that a total of 57,028 individuals were directly affected by the breach. IMS reported that on or around November 3, 2023, an unauthorized third party gained access to its systems, resulting in the non-availability of certain IMS applications. However, Bank of America's own systems were not compromised in the incident.
The security breach attracted attention when the LockBit ransomware gang claimed responsibility for the attack on IMS, stating that they had encrypted over 2,000 systems during the breach. LockBit, a notorious ransomware-as-a-service (RaaS) operation, has been implicated in numerous high-profile cyberattacks, including those targeting the UK Royal Mail, the City of Oakland, and the Italian Internal Revenue Service.
Authorities in the United States and abroad estimate that LockBit has extorted at least $91 million from U.S. organizations through roughly 1,700 attacks since 2020. Despite these claims, Infosys, IMS' parent company, has yet to respond to requests for confirmation regarding LockBit's involvement in the breach.
This isn't the first time Bank of America customers' data has been compromised through a service provider. In May 2023, financial account information, credit card details, social security numbers, and other unique identifiers managed by Ernst & Young were exposed after the firm's MOVEit Transfer platform was breached by the Clop cybercrime gang.
John Gunn, CEO, Token commented on the incident:
"You can be certain that Bank of America has the highest level of security and imposes incredibly stringent cybersecurity requirements on their third-party partners, with the latter being legendary. With large global organizations that have thousands of service providers, these events are nearly impossible to prevent. Cybercriminals have stepped up their attacks on outsource service providers knowing they cannot directly defeat the cybersecurity of a major bank. The silver lining is that this event impacted less than 1/1000th of their customer base." Bank of America reassured that its systems were unaffected by this incident. As cybersecurity threats continue to evolve, incidents like these underscore the importance of robust security measures and heightened vigilance across the financial sector. Customers are advised to remain vigilant, monitor their accounts for any suspicious activity, and promptly report any concerns to their financial institutions.
We also heard from Paul Valente, CEO & Co-Founder, VISO TRUST for the CISO perspective:
"Bank of America’s breach involving IMS is a stark reminder that even the strongest security fortresses can be undermined by exploiting the expanded attack surface connected third party ecosystems represent. CISOs know it's all too common that companies invest millions in top-notch security only to entrust their data to lesser-known vendors with questionable defenses. Questionnaires won't cut it – we need a thorough understanding of a vendor's security program maturity. Time for a reality check in the world of data protection.”