Bank of America customer info exposed via third party breach


US financial services company Infosys McCamish Systems (IMS) says the data of thousands of Bank of America (BOA) compensation plan customers were exposed in a breach of its systems allegedly carried out by the LockBit ransom gang last fall.

The Atlanta-based Infosys subsidiary, a provider of life insurance and retirement software services, filed a data breach notification with the Office of the Maine Attorney General on behalf of the banking giant Tuesday.

Listed as the “Outside Council for Bank of America,” IMS said the notification was being sent to BOA customers “out of an abundance of caution.”

Unfortunately for the 57,028 BOA customers affected, IMS admits in the notice “it is unlikely that we will be able to determine with certainty what personal information was accessed” during the November 2023 breach.

Sensitive personal information that may have been exposed includes:

  • First and last name, address,
  • business email address,
  • date of birth,
  • Social Security number,
  • other account information.

The breach took place sometime around November 3rd, when “an unauthorized third party accessed IMS systems, resulting in the non-availability of certain IMS applications,” the notice stated.

According to IMS, Bank of America was informed of the breach and the possibility of customer data exposure on November 24th.

Bank of America’s systems were not compromised, IMS stated in the notice.

Meantime, the LockBit ransomware group claimed responsibility for the Infosys hack on November 4th, according to media reports at the time.

In the aftermath, IMS said it retained a third-party forensic firm to investigate and assist with recovery, including isolating and remediating malicious activity, rebuilding systems, and enhancing response capabilities.

To date, IMS said it had found no evidence of continued access by the threat actors.

No stranger to breaches, last spring over 30,000 Bank of America customers had their credit card account numbers and other financial information compromised as part of another third party hack involving accounting giant Ernst & Young – part of the MoveIt hacks carried out by the Clop ransom gang.

“Organizations like Bank of America that handle the personal customer data of millions must prioritize cybersecurity defenses, particularly with the use of third-party service providers,” said Andrew Costis, Chapter Lead of the Adversary Research Team at AttackIQ.

“The vulnerability of customer data exploited through IMS in November and Ernst & Young in May reiterate the vulnerability of these organizations to ransomware threats, Costis pointed out.

“Threat actors use varying tactics, techniques, and procedures (TTPs) when deploying ransomware,” he said.

By simulating attacks and utilizing the MITRE ATT&CK Framework, Costis says organizations can test their security defenses against TTPs specific to ransomware groups.

“This preventative security approach gives valuable insight into the security systems response, setting teams up for more threat-informed mitigation,” he added.

LockBit strikes again

The LockBit ransomware group first appeared on the scene in 2019, and has climbed on the top of the food chain, breaching major names such as The Boeing Company, Allen and Overy law firm, Aldo shoes, and US mortgage company Planet Home Lending in the past twelve months alone.

The notorious threat actors are said to have executed over 1,400 attacks against victims in the US and around the world, collecting tens of millions of dollars in bitcoin ransom payments.

LockBit is also known as the group behind last November’s massive exploit of the Citrix bug zero-day vulnerability.

The gang’s ransomware variant LockBit 3.0 – also known as LockBit Black – is now in its third iteration and is considered the most evasive version of all previous strains, a US Department of Justice report said.

The variant also hapens to share similarities with two other Russian-linked ransomware; BlackMatter and BlackCat (ALPHV/BlackCat), the DOJ said.


More from Cybernews:

Varta battery manufacturing plants halted by massive cyberattack

CGI Federal says US GAO data breach tied to Atlassian flaw

Trans-Northern Pipelines latest APLHV/BlackCat ransom claim

AI-powered boyfriends are a hit in China

Companies use AI to read private Slack and Teams messages 

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are markedmarked