Bank of America admits data breach after supply chain hack
Customer info exposed
Bank of America has warned customers that their personal data has been exposed after a service provider was breached last year.
Infosys McCamish Systems (IMS) - a subsidiary of Indian consulting giant Infosys, owned by Rishi Sunak's wife's family - was breached last November, when "an unauthorised third party" accessed its network.
According to Bank of America's data breach notification, it took IMS 21 days to notify the bank that "data concerning deferred compensation plans serviced by Bank of America may have been compromised." Bank of America's systems themselves were not compromised.
Although IMS could not say exactly what personal information was involved, Bank of America wrote, "deferred compensation plan information may have included your first and last name, address, business email address, date of birth, Social Security number, and other account information."
Read more: Betrayal, bewilderment and Bank of America
Details shared with the Attorney General of Texas shows that "other account information" may have included account and credit card numbers. Meanwhile, a filing with the Attorney General of Maine shows more than 57,000 people were directly affected by the breach.
Considering Bank of America serves around 69 million customers across 35 countries, that is a vanishingly small number. However, any data breach - especially of sensitive financial information - is potentially a cause for concern.
We have contacted both the bank and IMS about the matter. Bank of America declined to comment, and we're still awaiting a response from its service provider.
LockBit claimed responsibility for the attack on 4th November last year.
Oz Alashe, CEO of CybSafe, said the breach's impact "emphasises how increasingly connected the financial services are becoming as the sector continues to digitise." Although he acknowledged the benefits of such an arrangement, he also noted the vulnerabilities opened by trusting a third party with customer data.
"Cybersecurity is not an ‘in-house' issue, but one dependent on a series of organisations, from IT vendors and payment providers to cloud services and software platforms.
"Financial institutions and their partners must move beyond compliance and tick-box exercises, fostering an active security consciousness that encourages positive security behaviours."
Meanwhile Rick Jones, CEO and co-founder of DigitalXRAID, warned, "What we're seeing here may be just the start of yet another hugely significant incident in cyber industry, and what should be a watershed moment for software security."