EY breach exposes Bank of America customer credit card numbers


Ernst & Young (EY) said over 30,000 Bank of America customers were exposed via the MOVEit Transfer attacks, with threat actors accessing financial account information and credit card numbers.

EY’s US branch started contacting individuals impacted by the recent data breach involving customer data. The company, one of the world’s largest accounting and professional services firms, specifically reached out to Bank of America clients, whose data it was handling.

“[EY] is writing to notify you of an issue that involves your personal data. EY provides consulting, advisory, and tax services to Bank of America. As part of those services, we receive and handle information that may include personal data in certain instances,” the company’s letter said.

ADVERTISEMENT

In late June, it was reported that EY fell victim to the MOVEit Transfer attacks. The company employed MOVEit software “to support the transfer of data files.” The Cl0p ransomware gang claimed responsibility for exploiting a SQL database injection flaw in the MOVEit Transfer file system, impacting thousands of companies worldwide.

What data did the EY breach expose?

According to EY’s letter to impacted individuals dated August 9th, it learned about the incident on May 31st and launched an investigation to understand the issue’s scope.

While the investigation revealed that neither EY’s nor Bank of America’s internal systems were affected, a trove of sensitive data was exposed.

According to EY’s letter to the Maine Attorney General, 30,210 individuals were exposed in the attack. The exposed data may have included:

  • First and last names
  • Addresses
  • Financial account information
  • Debit or credit card numbers
  • Social Security numbers
  • Government-issued ID numbers

Cybercriminals can use stolen information to commit fraud: from identity theft and phishing attacks to opening new credit accounts, making unauthorized purchases, or obtaining loans under false pretenses.

Experts warn that even seemingly insignificant pieces of leaked personal information can be collated to have a devastating impact. Victims whose data has been leaked often don’t realize they’ve been compromised and therefore take no action to mitigate the outcome.

EY said that Bank of America will provide exposed clients with a “complimentary two-year membership in an identity theft protection service.” The letter urges potential victims to be vigilant and cautiously review account statements and credit reports for suspicious activity.

ADVERTISEMENT
Cl0p post
EY posted on Cl0p's dark web blog. Image by Cybernews.

Who‘s behind the EY attack?

So far, over 620 organizations and over 40 million have been confirmed to be impacted by Cl0p’s MOVEit Transfer attacks. EY and other major accounting firms such as Deloitte and PwC, have been among the impacted.

Cl0p claims that it has access to a staggering three terabytes of EY‘s data, stolen during the attack. The cybercrooks say they have data ranging from financial reports to passport scans. If the volume of stolen data is confirmed, additional exposed EY customers may surface.

Numerous well-known organizations have had their clients exposed in the attack. Recently, TD Ameritrade, a US stockbroker, said over 60,000 of its clients were exposed, with Cl0p taking the financial account data of some.

Other named victims include American Airlines, TJX off-price department stores, TomTom, Pioneer Electronics, Autozone, and Johns Hopkins University and Health System, Warner Bros Discovery, AMC Theatres, Honeywell, Choice Hotels’ Radisson Americas chain, and Crowe accounting advisory firm.

How did MOVEit attacks happen?

Cl0p exploited a now-patched zero-day vulnerability in the MOVEit Transfer software, allowing cybercrooks to access and download the data stored there.

The bug attackers exploited was a Structured Query Language (SQL) injection vulnerability, a type of bug that attackers use to insert malicious code. This code is then used to manipulate the behavior of a database.

The bug is particularly dangerous because attackers can use the initial SQL injection for secondary attacks, which could mean that hundreds of breached organizations are only the first wave of a massive tsunami.

ADVERTISEMENT

Experts we‘ve talked to fear that Cl0p has opened Pandora‘s box. Since the chain of attacks showcases a nearly perfect supply-chain hack, where just one software exploit opened the doors to thousands of companies, other criminal groups will be keen to replicate Cl0p‘s success.

Given the average ransom payout is over $250,000 and over 600 organizations have been impacted so far, if only 10% of those affected paid the ransom, it’s possible that the group has generated several million dollars already.