Bank of America Data Breach Impacts 57,000

Bank of America has warned customers of a data breach that compromised personal data, after its service provider, Infosys McCamish Systems (IMS), was hacked last November. 

In the Security and Exchange Commission filing, IMS said it had "become aware of a cybersecurity incident resulting in non-availability of certain applications and systems in IMS,” adding that it was working with leading cybersecurity experts to resolve the issue and had launched an internal investigation.

Now, it has been revealed the breach extended to Bank of America, impacting the personal data of 57,028 individuals. 

The news was announced in a data breach notification filed in the state of Maine, which described the incident as an "external system breach (hacking)." 

The information acquired was revealed to be individuals’ names and other personal identifiers in combination with social security numbers.

"Or around Nov. 3, 2023, IMS was impacted by a cybersecurity event when an unauthorized third party accessed IMS systems, resulting in the non-availability of certain IMS applications," Bank of America wrote in a sample letter for impacted customers. "On Nov. 24, 2023, IMS told Bank of America that data concerning deferred compensation plans serviced by Bank of America may have been compromised. Bank of America's systems were not compromised.”

Related:MGM Attack Drives Cybersecurity to Top of Mind

The letter added that, to date, IMS has found “no evidence of continued threat actor access,” though it also added it is "unlikely” that the full nature and extent of the personal data compromised will be determined. 

In the interest of customer safety, Bank of America said that it will be providing a complimentary two-year membership in identity theft protection services provided by Experian IdentityWorksSM. 

“This product provides you with daily monitoring of your credit reports from the three national credit reporting companies,” the bank said.

Ransomware gang LockBit claimed responsibility for the original IMS attack, saying that its operators encrypted more than 2,000 systems.