BofA Warns Customers of Data Leak in Third-Party Breach

Bank of America has warned customers of a leak of their sensitive data that occurred due to a ransomware attack that breached the environment at technology partner Infosys McCamish Systems (IMS) last autumn. It's an incident that once again highlights the importance of securing access to data and environments across third-party systems.

At least 57,028 customers were affected in the breach, which occurred when "when an unauthorized third party accessed IMS systems, resulting in the non-availability of certain IMS applications," according to a data breach disclosure form filed in Maine by IMS, and a separate letter (PDF) sent on behalf of Bank of America to affected customers. The financial institution serves about 69 million clients across more than 35 countries globally.

The form and letter offer different timelines for when the breach occurred. The disclosure firm claims it occurred on Oct. 29, with IMS discovering it the following day. The letter says it occurred "on or around Nov. 3."

No matter, the attack caused some unspecified systems in IMS' technology environment — which provides insurance process management solutions and services — to be rendered unavailable. The attack also exposed sensitive data — including the combination of people's names or other personal identifiers with their Social Security numbers — from Bank of America deferred-compensation plans, for which the company provides services.

However, IMS noted that it "is unlikely that we will be able to determine with certainty what personal information was accessed as a result of this incident," though it "may have included" not only people's names and SSNs, but also addresses, business email addresses, dates of birth, and other account info.

LockBit Claims Responsibility

A few days later on Nov. 4, the LockBit ransomware gang posted an ad for the sale of stolen data on its Dark Web site claiming to be from more than 2,000 IMS systems that were encrypted by the threat actor in an attack, according to a screenshot posted by @DarkWebInformer on X, formerly Twitter, and flagged in a published report. The post listed a deadline of Nov. 9 for the company to pay ransom before it would post the leaked data. It's unclear at this time if that occurred or if the ransom was paid.

IMS informed Bank of America on Nov. 24 that data concerning deferred-compensation plans serviced by the bank may have been compromised, though Bank of America systems were not affected by the breach.

IMS retained a third-party forensic firm to investigate and assist with the company's recovery plan in response to the incident, "which included containing and remediating malicious activity, rebuilding systems, and enhancing response capabilities," the company said in its letter to customers.

"To date, IMS has found no evidence of continued threat actor access, tooling, or persistence in the IMS environment," according to IMS.

Bank of America said it is not aware that any data exposed in the breach has been misused. Even so, the bank is providing affected customers a complimentary two-year membership in an identity theft protection service provided by Experian IdentityWorks to help them protect their data.

Neither IMS nor Bank of America immediately responded to requests for comment about the incident on Feb. 13.

Managing Third-Party Cyber-Risk

Accessing a company's data via that company's partner or customer has become all-too-common for organizations, and security experts and technology providers alike have offered a range of suggestions and solutions for this third-party exposure — including risk-management and risk-assessment strategies — to mitigate these threats.

However, the problem persists, demonstrating "that the complexity of a typical organization's digital landscape, completely protecting against all forms of risk is close to impossible," notes Roger Neal, head of product at Apona Security, in an email to Dark Reading.

He suggests that organizations consider not only risk-management or -assessment solutions, but also demand a software bill of materials (SBOM) from all third-party vendors to better assess and manage vulnerabilities so they can take control before an attack even occurs.

"While the breach's specifics…are yet to be fully disclosed, it's possible that early detection of vulnerable components might have mitigated or prevented this incident," Neal posits.

Another potential strategy to protect against such breaches could be "to require hosting third-party services on-premises, thereby ensuring more control over access to sensitive customer information," he adds.