Bank of America customers personal information exposed in data breach

Bank of America is warning customers of a personal data breach as it reveals one of its service providers, Infosys McCamish Systems (IMS), was hacked last year.

The attorney general of Texas detailed that the personally identifiable information exposed in the breach includes the names, addresses, social security numbers, dates of birth, and financial information including account and credit card numbers of the affected individuals.

Approximately 69 million people use Bank of America through its retail financial centres, and thousands of ATMs in not only the US, but 35 other countries too.

On behalf of the bank, the attorney general of Maine revealed that a total of 57,028 people were directly impacted by the breach.

The notice of the attack informs that it occurred on or around 3 November last year, by “unauthorised third party accessed IMS systems, resulting in the non-availability of certain IMS applications.”

It says it alerted Bank of America on 24  November that “data concerning deferred compensation plans serviced by Bank of America may have been compromised,” but the bank’s own systems were not.

It also noted that it will likely not be able to determine what exact personal information was accessed.

Protecting the supply chain is when these types of breaches occur is  critical, according to Al Lakhani, CEO of cyber security firm IDEE. “Especially when they can cause these kinds of attacks.”

“To fortify supply chains effectively, “ he adds, “they must be protected by using next-generation multi-factor authentication (MFA) solutions, which protect against credential, phishing and password-based attacks, including adversary-in-the-middle attacks by using same device MFA.”

Ransomware gang LockBit claimed responsibility for the attack, saying its operators encrypted over 2,000 systems.

It says the IMS offered $50,000 for the 50GB of data back, but started bidding the information on the black market for $500,000.

Who is LockBit?

TechInformed has reached out to Bank of America and IMS for comment.

11,000 of Bank of America’s customer’s personal information has already been leaked in August last year as the consulting company it uses, Ernst and Young, became victim of the MOVEit file transfer attack.

The MOVEit attack saw multiple companies’ customer information exposed including airline British Airways, broadcaster BBC, and high street shop Boots.