Bank of America has informed its clientele about a breach of personal data linked to a third-party service provider, stemming from an incident last year. The breach occurred at Infosys McCamish Systems (IMS), a subsidiary of the Indian consultancy giant Infosys, which has connections to the family of Rishi Sunak’s wife. Unauthorized access to IMS’s network by an external party was detected in November.
Affected customers were notified by Bank of America, disclosing that IMS took 21 days to notify the bank about the potential data compromise concerning deferred compensation plans managed by the bank. Bank of America’s internal systems remained unaffected.
While IMS hasn’t specified the exact nature of the exposed personal information, Bank of America suggested that it may include names, addresses, business email addresses, dates of birth, social security numbers, and various account details. Documentation submitted to the Texas Attorney General indicates that exposed account information might also involve account and credit card numbers. Filings with the Maine Attorney General indicate that more than 57,000 individuals were directly impacted.
Despite Bank of America’s extensive customer base of around 69 million people across 35 countries, the affected individuals represent a relatively small fraction. Nevertheless, the breach raises significant concerns due to the sensitivity of the financial data involved.
Inquiries were made to both Bank of America and IMS regarding the breach. While Bank of America hasn’t issued a statement, IMS’s response is pending.
LockBit, a cybercriminal group, claimed responsibility for the November 4th attack. Oz Alashe, CEO of CybSafe, commented on the breach, emphasizing the increasing interconnectedness of financial services through digital means. He underscored the benefits of such advancements but also the risks associated with entrusting customer data to third parties. Alashe stressed the importance for financial institutions and their partners to prioritize active security awareness over mere compliance, advocating for robust security measures.
Rick Jones, CEO and Co-founder of DigitalXRAID, warned that this incident might precede a significant cybersecurity event, urging a reassessment of software security standards within the industry.