In November 2023, the Lockbit ransomware gang claimed responsibility for targeting the Infosys McCamish system, and it appears that the aftermath of the data breach is unfolding.
Bank of America customers participating in deferred compensation plans are facing concerns after a data breach at Infosys McCamish Systems (IMS), a third-party provider managing these plans. The incident, initially reported in November 2023 but only publicly disclosed this month, exposed the personal information of 57,028 individuals.
The latest incident shouldn’t be surprising, given that Bank of America is a lucrative and highly sought-after target for both script kiddies and sophisticated cybercriminals. The data breach in May 2020 serves as a notable precedent, as does the continuing series of phishing attacks targeting the bank’s customers.
What Happened:
In a letter sent by Infosys McCamish to affected customers, on November 3rd, 2023, an unauthorized third party infiltrated the IMS systems, accessing sensitive customer data. The information potentially compromised includes names, addresses, social security numbers, dates of birth, financial details linked to deferred compensation plans and other account information.
According to the data breach notification filed by the company with Maine’s Attorney General, 93 residents of Maine have been impacted by the data breach. The information trove could be used for a variety of malicious activities, including identity theft, financial fraud, and phishing scams. Although the specific nature of the security lapse remains unclear, IMS has implemented measures to prevent future breaches.
Affected Individuals:
While the exact number of affected Bank of America customers is known (57,028), the extent of data accessed for each individual remains uncertain. IMS claims they cannot determine which specific pieces of information were viewed by the unauthorized party.
However, it is worth noting that on November 4, the LockBit ransomware gang claimed responsibility for the IMS attack, stating that its operators encrypted over 2,000 systems during the breach.
Bank of America’s Response:
Bank of America learned of the breach on November 24th, 2023, and has since taken steps to notify affected customers. The bank is offering complimentary two-year memberships to Experian’s identity theft protection services to help mitigate potential risks. Additionally, they recommend that customers remain vigilant and monitor their accounts for suspicious activity.
Experts Provide Insight on the Data Breach:
For insights into the latest development, we spoke with Tim Callan, Chief Experience Officer at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM), who raised questions about the cybersecurity measures at third parties.
“As financial institutions increasingly rely on third-party vendors for various services, they inadvertently broaden their attack surface, exposing sensitive customer data to potential breaches. Strengthening oversight and implementing stringent security protocols for third-party partnerships are imperative to mitigate such risks,” Tim Advised.
Al Lakhani, CEO of IDEE, emphasized the limitations of traditional multi-factor authentication (MFA) systems and advocated for next-generation MFA solutions to protect the supply chain.
“Protecting the supply chain is critical. Especially when they can cause these kinds of attacks. Therefore, relying on first-generation MFA that requires two devices and lacks the capability to prevent credential phishing attacks is a non-starter,” Al explained. “To fortify supply chains effectively, they must be protected using next-generation MFA solutions, which protect against credential, phishing and password-based attacks, including adversary-in-the-middle attacks by using same device MFA,” he said.
Ongoing Concerns:
Despite Bank of America’s response, concerns remain for impacted individuals. The lack of clarity regarding which data was accessed and the possibility of misuse are significant sources of anxiety. The potential for financial losses, identity theft, and other negative consequences cannot be ignored.
Industry Implications:
This incident highlights the growing threat of data breaches within the financial services industry. It underscores the importance of strong cybersecurity measures for both financial institutions and third-party providers like IMS. The reliance on third-party services introduces additional vulnerabilities, requiring stringent data security protocols and comprehensive risk management strategies.
Looking Forward:
While the immediate impact of the breach remains to be seen, it serves as a stark reminder of the importance of data privacy and security. Individuals are advised to remain vigilant, monitor their accounts closely, and utilize the resources offered by Bank of America.
Additionally, this incident emphasizes the need for stricter regulations and enhanced security protocols within the financial services industry to protect customer data and prevent future breaches.