Though Bank of America does not appear to have been directly at fault, another third party data breach at one of its service providers has compromised the personal information of over 57,000 customers and has once again thrown vendor screening and security into the spotlight.
Process management provider Infosys McCamish Systems, which appears to handle a deferred compensation program for the bank, was the source of the third party data breach. Only limited details about the attack are available at present, but it looks to have been the work of LockBit and to have involved ransomware.
Victims of third party data breach begin receiving notifications
According to a data breach notification filing in Maine, the incident took place in late October. In early February, impacted customers began receiving mailed breach notifications of their own that indicate it took place “around early November” of last year. Maine requires data breach victims to be notified within 30 days, but does allow for longer delays if recommended by a law enforcement investigation.
The incident does not appear to impact the vast majority of Bank of America’s roughly 6.9 million customers. The third party data breach seems to have been limited to the contractor’s own systems, and their relationship to the bank appears to be limited to servicing the deferred compensation plans it sells to employers. These plans are generally offered to executives and very high-earning employees as a 401k alternative. It is not yet known which employers are impacted.
The data breach filing did not assign responsibility, but did mention that “hacking” was the cause. The LockBit ransomware group took credit for it in November and posted a threat to dump 50GB of stolen data if not paid (via their dark web portal). Security analysts have yet to note a follow-up dump of the data, so there is some speculation that the contractor settled the issue by making a ransom payment. LockBit, which has been one of the most prolific ransomware groups since 2020, had been asking for a minimum of $500,000 for the data but had also said that it would entertain bids from parties other than the victim.
The incident once again highlights the major security threat that larger enterprises face from the hundreds to thousands of contractors they work with. Bank of America itself does not have a particularly troubled cybersecurity record in terms of protecting its internal networks, but this is the second third party data breach it has experienced in the space of a year. The company was also caught up in the sprawling MOVEit data breach of 2023 by way of partner Ernst and Young.
Impacted Bank of America customers may have had financial accounts, social security numbers exposed
While it is far from unusual for the scope of data leaks to expand after initial reports, the fact that it is a third party data breach of a client tasked with one particular function does indicate that it will probably be relatively limited overall. That is little consolation to the impacted victims, however, who may have had an expansive amount of sensitive data exposed including their bank account and Social Security numbers. Infosys McCamish says that it cannot pinpoint exactly what information was accessed for each of the impacted parties, but it is possible that it is essentially everything they have on file related to their deferred compensation plan.
The breach notification letters indicate that victims are being offered 24 months of free identity theft protection service via Experian. As to what steps victims can take on their own to protect themselves, the advice is pretty standard: change banking passwords as soon as possible, implement multi-factor authentication on these accounts if it is not present already, and keep a sharper eye than usual on any transactions or incoming messages that appear to be from a financial services provider.