A breach beyond banks: the Infosys incident and its wider implications


The Bank of America recently revealed that it had been hit with a security breach that has impacted thousands of its customers.

The source of this breach was traced back to a cyberattack last year on Infosys McCamish Systems (IMS), a subsidiary of Infosys, a technology services giant. The attack compromised data belonging to Bank of America customers, highlighting the interconnected risks within the financial services landscape.

A timeline of turmoil: Infosys' breach and its consequences for Bank of America

On November 3rd, 2023, Infosys disclosed a security incident that had rendered several IMS applications and systems inaccessible. With assistance from external data forensics experts, IMS's investigation concluded with a notification to the Bank of America on November 24th, 2023, about the potential impact on their customers' data.

Further filings with the Attorney Generals of Texas and Maine provide a clearer picture of the breach's scope. The incident, described as an "External system breach (hacking)," led to unauthorized access to sensitive customer information, including names, Social Security numbers, and financial account details. The breach notification, submitted on behalf of Bank of America by an outside attorney, pinpointed IMS as the source of the leak, affecting 57,028 individuals.

After this incident, the Bank of America contacted the customers by sending them letters on February 6th. These letters informed the individuals about the scope of the data breach. It also guided them on safeguarding their information to prevent potential misuse.

Bank of America vendor breach: a second strike on customer data

It's essential to highlight that this latest breach did not directly compromise Bank of America's computer network but impacted deferred compensation plans serviced by the bank. But more worryingly, this is the second data breach incident with a Bank of America vendor. Last November, the US branch of EY initiated outreach to Bank of America clients who were identified as impacted by an incident involving a customer data breach.

Once again, we see another news story about a customer's personally identifiable information (PII) being exposed. But this situation should serve as a reminder of the pressing need for system changes. We can no longer afford to dismiss or accept that disclosing data like names, addresses, social security numbers, dates of birth, and financial details is almost unavoidable in this modern digital era.

The ripple effect: how the Infosys data breach is a warning for public infrastructure

The role of Infosys in this latest breach should also raise alarm bells for the financial sector and raise further questions about the broader sphere of public and critical infrastructure.

Infosys has extensive contracts within the public sector, including significant engagements with the UK government worth £172 million, and plays a pivotal role in designing and maintaining digital public infrastructure (DPI). This DPI is crucial for achieving developmental goals and facilitating seamless connectivity and operations across government services.

However, one important question arises from this incident: What if the next breach doesn't only involve data? Also, does it target fundamental public infrastructure? The potential consequences of such a breach, causing disruptions to services like utilities and emergency response, threaten public safety. This emphasizes the need for cybersecurity measures.

In its seventh Annual Review, the National Cyber Security Centre (NCSC) National Cyber Security Centre echoes these concerns by highlighting an 'eCentre' and a significant threat to infrastructure in the UK. The risk landscape is significantly increasingly complicated and unpredictable with the emergence of state-aligned groups and increased aggressive cyber activities. This situation is further exacerbated by geopolitical tensions, notably the challenges posed by China and the actions of those sympathetic to Russia's further invasion of Ukraine.

The NCSC warnings and recent breaches in Russia highlight the importance of collaboration

between governments, private sectors, and international allies to bolster cyber resilience. As we navigate this environment, safeguarding infrastructure security and ensuring integrity in democratic processes dramatically depends on our collective ability to anticipate, prepare for, and mitigate evolving cyber threats. This is essential for maintaining safety and continuity of services in today's age.

What does this mean for businesses

There is currently an underlying tension between economic efficiency and safeguarding personal information. For example, outsourcing IT and network departments for cost savings could become increasingly scrutinized for compromising data security. The increasing dependency on third-party organizations for digital services also highlights a need for a

trustworthy chain between different organizations that protect consumers' data.

Unsurprisingly, these sentiments are echoed in the comments section of news articles and online communities. There is an increasing theme of frustration and anger directed at corporations for their perceived negligence and the minimal consequences they face following such breaches. Many also appeal to regulators to deliver more stringent penalties and accountability measures to prevent future incidents.

However, we’ve been here many times before. The memories of breaches, like the one at Equifax, act as a reminder of the repercussions that come with not taking action, intensifying the need for a fundamental change. We find ourselves at a point where progress requires both advancements and a shift in mindset toward responsibility, openness, and adaptability.

An urgent call for a data security revolution

The recurring breaches in the banking sector highlight the imperative for an overhaul in safeguarding sensitive personal information. This isn't merely a technical challenge but a clarion call for a systemic transformation that prioritizes data security not as an afterthought but as a cornerstone of digital trust. Today’s breach concerns banking, but tomorrow, we could be reading about an attack on the supply chain or public infrastructure.

As society grapples with these complex challenges, the collective sentiment of frustration, vulnerability, and demand for change forms a powerful catalyst for reimagining data protection. The time for half-measures has gone. The future demands robust, proactive solutions to restore confidence and ensure the security of our digital identities.