Bank of America Corporation (BofA), the second-largest banking institution in the U.S., is warning customers of a possible data breach that may have exposed sensitive personal information of customers participating in a deferred compensation plan.
The notice of data breach filed by BofA with the Attorney General of Texas reveals that the customer’s personally identifiable information (PII) exposed in the security breach includes customer names, addresses, Social Security numbers, dates of birth, and financial information, including account and credit card numbers.
Apparently, the data breach took place on November 3, 2023, at Infosys McCamish Systems LLC (“Infosys,” or “IMS”), which is Bank of America’s vendor.
In a recent filing with the Attorney General of Maine, IMS revealed that 57,028 customers had their data exposed in the incident. During the cyberattack, an unauthorized party was able to access portions of IMS’s computer network.
On learning about the cybersecurity breach, IMS carried out an investigation with the help of third-party forensics specialists. It informed Bank of America on November 24, 2023, that data related to certain deferred compensation plans serviced by the bank may have been affected. However, at no point was Bank of America’s internal network compromised during the breach.
On February 1, 2024, Infosys sent out data breach letters to anyone who was affected by the recent data security incident, listing what information belonging to them was compromised.
Similarly, Bank of America too sent out data breach letters to impacted consumers on February 6, 2024, notifying them about the security breach.
Despite claiming to be unaware of any misuse involving customer information, Bank of America is offering a complimentary two-year membership in Experian’s identity theft protection program for free to the affected customers, which includes credit monitoring, identity theft insurance, and fraud resolution services, to offset the incident.
Besides this, customers are also advised to change online passwords and PINs, monitor their accounts for any suspicious activity, report any unauthorized transactions immediately, and also put a security freeze or fraud alert on their credit reports.
Bank of America Vs. LockBit
On November 4, 2023, the ransomware gang LockBit allegedly took credit for the IMS attack, claiming that its operators encrypted over 2,000 systems during the breach.
The LockBit ransomware-as-a-service (RaaS) operation came to light in September 2019 and has since attacked numerous renowned institutions, including the UK Royal Mail, the Italian Internal Revenue Service, the major Continental car company, and the City of Oakland.
