Executive Summary
Recently, customers of Bank of America received alerts regarding a data breach that occurred last year. The breach was a result of a cyberattack on one of the company’s service provider, Infosys McCamish Systems (IMS).
This breach exposed sensitive personal information of 57,028 individuals. Key details include names, social security numbers, dates of birth, and financial information, such as account and credit card numbers.
The LockBit ransomware gang has claimed responsibility for this breach, which affected not only Bank of America but also several other companies involved in financial and insurance services.
In response, IMS has taken steps to investigate the breach, improve security measures, and offer identity theft protection to affected individuals. IMS is a subsidiary of Infosys, a global IT consulting firm with a significant presence worldwide.
What Happened
On or around November 3, 2023, an unauthorized third party accessed IMS systems, leading to the disruption of certain applications.
Later, on November 24, IMS informed Bank of America of the potential compromise involving deferred compensation plans serviced by the bank. Notably, the bank’s systems themselves were not breached.
Subsequently, IMS disclosed in a filing with the Attorney General of Maine that 57,028 individuals had their data exposed due to the incident. The exposed personally identifiable information (PII) includes the following:
- Names,
- Addresses,
- Social security numbers,
- Dates of birth,
- Financial details such as account and credit card numbers.
This information came alongside an announcement from the LockBit ransomware gang on November 4th. The gang claimed responsibility for the attack and stated that they encrypted over 2,000 systems during the breach.
The breach not only affected Bank of America but also impacted other companies involved with nonqualified compensation plans and group universal life insurance accounts. For instance, T. Rowe Price, the Vanguard Group, Principal Financial Group, and Ascensus through its Newport affiliate.
Response from IMS
In response to the breach, IMS engaged a forensic firm to conduct a comprehensive investigation and improve its security measures. Additionally, IMS sent letters to affected Bank of America customers in early February, informing them about the breach and providing details. They also offered impacted individuals complimentary two-year memberships for identity theft protection.
The letter advised recipients to remain vigilant by monitoring their credit reports and considering additional protective measures such as credit freezes or fraud alerts.
The broader implications of the breach were felt across several organizations, prompting a halt in account usage for affected plans. However, by early December 2023, systems were reported to be back online, with transactions processing as normal.
Closing Comments
This breach, which has impacted multiple companies, including Bank of America, is just one of many cyberattacks affecting multiple companies through third-party service providers. Recently, a cyberattack targeted two companies in France that manage third-party payments for supplementary health insurance. This attack compromised data on more than 33 million people. These pervasive incidents are a stark reminder of the persistent threat of cyberattacks and the importance of robust security measures to protect sensitive information.
- Integris Health’s Massive Data Breach Notice in US
- AT&T Admits 73 Million Customers’ Data Breached
- CISA & FBI Share How to Secure Water Systems
- MGM Resorts System Outage due to Cyberattack
- [CVSS 9+] CISA Releases Four Industrial Control Systems Advisories
- [CVSS 9+] Critical Vulnerabilities Expose AI Models to Attacks