The Bank of America data breach exposed personal information after Infosys McCamish Systems (IMS), one of its service providers, was hacked last year. The compromised PII includes names, addresses, social security numbers, dates of birth, and financial information such as account and credit card numbers.
Bank of America provides services to a large customer base of approximately 69 million individuals through various channels such as retail financial centers and ATMs across the United States, its territories, and over 35 countries.
As of now, Bank of America has not disclosed the exact number of customers affected by the breach. However, a notification letter submitted by Infosys McCamish to the Attorney General of Maine on behalf of Bank of America stated that a total of 57,028 individuals were directly impacted.
“Or around November 3, 2023, IMS was impacted by a cybersecurity event when an unauthorized third party accessed IMS systems, resulting in the non-availability of certain IMS applications,”
“On November 24, 2023, IMS told Bank of America that data concerning deferred compensation plans serviced by Bank of America may have been compromised. Bank of America’s systems were not compromised.”
“It is unlikely that we will be able to determine with certainty what personal information was accessed as a result of this incident at IMS.”
The Bank of America Data Breach notification says.
Bank of America Data Breach Was a Result of LockBit Ransomware Attack on IMS
According to the initial disclosure filed with the U.S. Securities and Exchange Commission, the November security breach resulted in certain applications and systems in IMS becoming unavailable.
This disruption was caused by the LockBit ransomware gang, who claimed responsibility for the attack on November 4th. The gang stated that they had encrypted over 2,000 systems during the breach.
The LockBit ransomware-as-a-service (RaaS) operation has been active since September 2019 and has targeted several notable organizations, including the UK Royal Mail, the Continental automotive giant, the City of Oakland, and the Italian Internal Revenue Service.
In June, a joint advisory by cybersecurity authorities in the United States and international partners revealed that the LockBit gang has managed to extort a minimum of $91 million from U.S. organizations.
This hefty sum was obtained through approximately 1,700 attacks that have taken place since the year 2020. The advisory serves as a reminder of the significant financial impact caused by the activities of this criminal group.
Infosys, IMS’ parent company, is a multinational IT consulting and services provider giant with over 300,000 employees and clients in over 56 countries.
An official spokesperson from Infosys has not yet provided confirmation regarding the claims made by the LockBit gang or additional details about the security breach. However, it has come to light that Bank of America customers’ sensitive information, including financial account details, credit card information, social security numbers, and other government-issued identification numbers, were compromised.
This breach occurred in May 2023 when the service provider’s MOVEit Transfer platform was targeted by the Clop cybercrime gang. It is worth noting that the security breach involved data handled by leading accounting firm Ernst & Young.
“Bank of America has informed us that its systems and servers were not impacted by this event,”
Ernst & Young said.
As of February 13 at 03:24 EST, Bank of America has chosen not to provide any comments on the matter.
