Bank Of America Warns Customers Of Data Breach After Vendor Hack
Bank of America is warning customers of a data breach exposing their personal information after one of its service providers was hacked last year.
Customer personally identifiable information (PII) exposed in the security breach includes the affected individuals’ names, addresses, social security numbers, dates of birth, and financial information, including account and credit card numbers, according to details shared with the Attorney General of Texas.
While Bank of America has yet to disclose how many customers were impacted by the data breach, Infosys McCamish Systems (IMS), the vendor that had its systems compromised, revealed in a recent filing with the Attorney General of Maine that 57,028 had their data exposed in the incident.
Infosys, IMS’ parent company, is a multinational IT consulting giant with over 300,000 employees and clients in over 56 countries.
Bank of America serves approximately 69 million clients at over 3,800 retail financial centers and through approximately 15,000 ATMs in the United States, its territories, and more than 35 countries.
“Or around November 3, 2023, IMS was impacted by a cybersecurity event when an unauthorized third party accessed IMS systems, resulting in the non-availability of certain IMS applications,” IMS said.
“On November 24, 2023, IMS told Bank of America that data concerning deferred compensation plans serviced by Bank of America may have been compromised. Bank of America’s systems were not compromised.”
“It is unlikely that we will be able to determine with certainty what personal information was accessed as a result of this incident at IMS.”
LockBit claims ransomware attack on IMS
IMS said the security breach led to a “non-availability of certain applications and systems in IMS” when it first disclosed the incident in a filing with the U.S. Securities and Exchange Commission
On November 4th, the LockBit ransomware gang claimed responsibility for the IMS attack, saying that its operators encrypted over 2,000 systems during the breach.
The LockBit ransomware-as-a-service (RaaS) operation came to light in September 2019 and has since targeted many high-profile organizations, including the UK Royal Mail, the Continental automotive giant, the City of Oakland, and the Italian Internal Revenue Service.
In June, cybersecurity authorities in the United States and partners worldwide released a joint advisory estimating that the LockBit gang has extorted at least $91 million from U.S. organizations following roughly 1,700 attacks since 2020.
A Bank of America spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.