Pierluigi Paganini February 13, 2024

Bank of America revealed that the personal information of some customers was stolen in a data breach affecting a third-party services provider.

Bank of America began notifying some customers following a data breach at the third-party services provider Infosys McCamish System (IMS). The bank has sent notification letters to 57,000 customers, informing them that their personal information has been compromised

Infosys disclosed the security breach on November 3, 2023, in a filing with SEC the company reported it was the victim of a cyberattack that resulted in the non-availability of certain applications and systems.

McCamish immediately launched an investigation into the incident and worked on the remediation with the help of cybersecurity consultants.

The effects of the cyberattack described by the victim suggest it was targeted by a ransomware attack. On November 4, the LockBit ransomware gang claimed responsibility for the attack.

The company restored the impacted systems by December 31, it also estimated the losses caused by the incident will be at least of $30 million.

“On the basis of analysis conducted by the cybersecurity firm, McCamish believes that certain data was exfiltrated by unauthorized third parties during the incident and this exfiltrated data included certain customer data. McCamish has engaged a third-party e- discovery vendor in assessing the extent and nature of such data. This review process is ongoing. McCamish may incur additional costs including indemnities or damages/claims, which are indeterminable at this time.” reads the statement sent to the SEC. “Infosys had previously communicated the occurence of this cybersecurity incident to BSE Limited, National Stock Exchange of India Limited, New York Stock Exchange and to United States Securities and Exchange Commission on November 3, 2023.”

On February 1, Bank of America started notifying 57028 customers impacted by the data breach.

the Maine Attorney General’s Office, Bank of America noted that it cannot determine “with certainty what personal information was accessed” during the attack.

“On or around November 3, 2023, IMS was impacted by a cybersecurity event when an unauthorized third party accessed IMS systems, resulting in the non-availability of certain IMS applications. On November 24, 2023, IMS told Bank of America that data concerning deferred compensation plans serviced by Bank of America may have been compromised. Bank of America’s systems were not compromised.” reads the letter sent to the impacted customers. “It is unlikely that we will be able to determine with certainty what personal information was accessed as a result of this incident at IMS. According to our records, deferred compensation plan information may have included your first and last name, address, business email address, date of birth, Social Security number, and other account information.”

According to the financial institution, exposed data may include first and last name, address, business email address, date of birth, Social Security number, and other account information.

Bank of America states that they are not aware of any misuse involving the compromised information, however, the bank will provide a complimentary two-year membership in an identity theft protection service provided by Experian IdentityWorks.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – Hacking, Bank of America)