Bank of America has officially notified customers and authorities that one of its vendors, Infosys McCamish Systems (IMS), suffered a data breach last year, exposing several services of the banking giant's data, thus putting its customer's personally identifiable information (PII) at risk.
First reported by Bleeping Computer, information shared with the Attorney General of Texas states that the impacted individuals' names, addresses, social security numbers, dates of birth, and financial information, including account and credit card numbers, are among the customer's personal identifiable information (PII) exposed in the security breach.
The official notification for customers was sent on February 1 of this year, but the data breach occurred last November 3, 2023. The notice explains that a cybersecurity incident affecting IMS occurred when an unauthorized third party accessed IMS systems, making several applications unavailable.
IMS reportedly notified Bank of America on November 24, 2023, about information about deferred compensation schemes that Bank of America services might have compromised. Still, the letter maintained that the Bank of America systems were not weakened.
IMS then hired a different forensic company to look into and help with the recovery plan for IMS, involving reconstructing systems, improving reaction capabilities, and stopping and eliminating hostile activity. Bank of America's vendor has not yet discovered proof that threat actors can still access, use, or remain in their systems.
Bank of America's Efforts
In response to the breach, the Bank of America vendor informed the clients that the banking giant would provide a free two-year subscription to an identity theft protection program despite claiming to be unaware of any misuse involving customer information.
Experian Identity Works will reportedly provide the theft protection solution. Customers are allegedly informed that all they need to do to activate the service is to enroll and that they will not be charged for the service. It is stated that the complimentary service will give clients daily access to their credit reports from three national credit reporting agencies, online tracking, and identity theft recovery.
Bank of America vs. Lockbit
The ransomware gang Lockbit allegedly took credit for the IMS attack on November 4, claiming that over 2,000 systems were encrypted by its operators during the hack. Since its discovery in September 2019, the LockBit ransomware-as-a-service (RaaS) operation has attacked numerous well-known institutions, including the Italian Internal Revenue Service, the UK Royal Mail, the major Continental car company, and the City of Oakland.
This is the second data breach incident concerning Bank of America vendors. Within the last few months after last November, the US division of EY began contacting Bank of America customers as they proved to be affected by a customer data breach incident.
Like the latest data breach, sensitive information was also leaked, but the investigation concluded that neither Bank of America nor EY's internal systems were impacted.