Bank of America Customer Data Exposed in Vendor Hack

Bank of America has issued alerts to its customers following a security incident that led to the disclosure of sensitive personal data. This breach was traced back to a cyberattack on one of its third-party service providers last year. 

Exposed Personal Data

The breach resulted in unauthorized access to a wide array of customer personally identifiable information (PII). This includes names, addresses, social security numbers, birth dates, and financial details such as account and credit card numbers. These revelations were made in a communication to the Texas Attorney General’s office.

Bank of America warns customers of data breach after vendor hack. It would be nice if BOA would have warned us when it happened last year.

— Angela DeVito 🌊🌊🌊🌊🌊 (@a220_angela) February 13, 2024

Breach Magnitude

Although Bank of America has not provided specific numbers on the affected customers, details from Infosys McCamish Systems (IMS), the compromised vendor, indicate that around 57,028 individuals had their information exposed. 

IMS, under the Infosys umbrella, is a global player in IT consulting, boasting a workforce of over 300,000 across more than 56 countries. Bank of America, with its vast clientele of about 69 million, operates through thousands of financial centers and ATMs worldwide.

Incident Timeline

IMS experienced a significant cybersecurity incident around November 3, 2023, which led to the unauthorized access of its systems. This breach not only exposed sensitive data but also disrupted certain IMS applications. 

By November 24, IMS had informed Bank of America about the potential compromise of data related to deferred compensation plans managed by the bank, clarifying that the bank’s own systems were not breached.

LockBit Ransomware Involvement

IMS disclosed that the breach had resulted in the disruption of several applications and systems in a filing with the U.S. Securities and Exchange Commission. Following the breach, the LockBit ransomware group claimed responsibility, stating that they had encrypted over 2,000 systems during the attack. 

Threat Actor: LockBit
Ransomware Victim: Infosys McCamish
Date: 2023-11-04
Note: Allegedly, #LockBit has named #InfosysMcCamish as a victim. #Ransomware #StopRansomware #DarkWeb #DarkWebInformer #Leaks #Leaked #Cyberattack pic.twitter.com/Gx11qO6Gwc

— Dark Web Informer (@DarkWebInformer) November 4, 2023

LockBit, which first came to light in September 2019, has targeted numerous high-profile entities, accumulating an estimated $91 million in extortions from U.S. organizations alone since 2020. Some of its victims include the Italian Internal Revenue Service, the City of Oakland, and the UK Royal Mail.

Final Word

This incident underscores the complex cybersecurity challenges facing global financial institutions and the critical importance of robust security measures, especially in partnerships with third-party vendors.