Vendor Hack Yields Bank of America Customers’ Data

Computing, a British publication, reports that a third-party data breach has exposed the personal data of Bank of America customers. According to the Bank, the vendor has been identified as Infosys McCamish Systems (IMS).

The breach occurred on November 4, 2023. LockBit claimed responsibility for the attack.

IMS is a subsidiary of Infosys, a large fintech consulting company based in India, and is owned by the family of  UK Prime Minister Rishi Sunak.

The Bank of America’s notification to customers explained that it took IMS three weeks to notify the bank that “data concerning deferred compensation plans serviced by Bank of America may have been compromised.”

IMS could not say exactly what personal information was involved, but according to the notice, “deferred compensation plan information may have included your first and last name, address, business email address, date of birth, Social Security number, and other account information.”

Compute quotes a cybersecurity expert who said the breach “emphasizes how connected the financial services are becoming as the sector continues to digitize,” and noted the vulnerabilities created by simply trusting third parties, including IT vendors, payment providers, cloud services, and software platforms with customer data.

The Attorney General of Texas asked for more information. It showed that “other account information” may have included account and credit card numbers.

A document filed with the Maine Attorney General shows more than 57,000 people were directly affected. By comparison, Bank of America serves 69 million customers in 35 countries.