Dive Brief:
- A November 2023 “cybersecurity event” at Infosys McCamish Systems exposed Bank of America customer data, according to a breach notification letter from the bank’s outside counsel filed with the Office of the Maine Attorney General.
- Customers’ first and last names, addresses, business email addresses, dates of birth and Social Security numbers may have been among the compromised information. Bank of America said it was “unlikely that we will be able to determine with certainty what personal information was accessed.”
- A threat actor compromised IMS systems around Nov. 3, taking some IMS applications offline, Bank of America said in its letter. Bank of America said 57,028 customers were affected by the incident.
Dive Insight:
IMS notified Bank of America about the data breach Nov. 24. A Bank of America spokesperson told Banking Dive, “[y]ou should reach out to Infosys McCamish. We’re declining to comment.”
IMS provides services for deferred compensation plans. The company retained a third-party forensic firm to investigate and assist with the recovery plan following the security incident. The notice said the firm did not find any “evidence of continued threat actor access, tooling, or persistence in the IMS environment."
LockBit claimed responsibility for the IMS attack Nov. 4 and said more than 2,000 systems were encrypted.
Bank of America customers were breached in another incident involving on one its third-party providers last year. An unauthorized actor accessed the systems of NCB Management Services, a national accounts receivable management company, last February, exposing the credit card account information of nearly 500,000 Bank of America customers.
Cyberattacks have long affected financial institutions, leading the Federal Deposit Insurance Corp., the Office of the Comptroller of the Currency and the Federal Reserve to require banks to report incidents to their primary regulator within 36 hours, if it’s determined the incident could disrupt business or the stability of the financial sector.
The Federal Trade Commission has called for nonbanking financial institutions to report data breaches and other cybersecurity-related events no later than 30 days after discovering a breach affected at least 500 consumers.
“Third-party breaches continue to plague organizations,” Ray Kelly, a fellow at Synopsys Software Integrity Group, told Banking Dive via email. “Ensuring the trust chain between organizations, while not a simple task, is essential to protecting consumers’ private information.”