Skip to main content
close search
site logo

Bank of America customer data exposed in IT provider breach

A threat actor compromised Infosys McCamish Systems in November, affecting more than 57,000 Bank of America customers.

Published Feb. 13, 2024
Rajashree Chakravarty's headshot
Reporter
bank of america flag waving in Charlotte
A flag flies outside the Bank of America Corporate Center in Charlotte, North Carolina. Davis Turner/Stringer via Getty Images

Correction: An earlier version of this story credited the incorrect source for the notification letter. The letter is from Bank of America’s outside counsel.


A November 2023 “cybersecurity event” at Infosys McCamish Systems exposed Bank of America customer data, according to a breach notification letter from the bank’s outside counsel filed with the Office of the Maine Attorney General.

Customers’ first and last names, addresses, business email addresses, dates of birth and Social Security numbers may have been among the compromised information. Bank of America said it was “unlikely that we will be able to determine with certainty what personal information was accessed.”

A threat actor compromised IMS systems around Nov. 3, taking some IMS applications offline, Bank of America said in its letter. Bank of America said 57,028 customers were affected by the incident.

IMS notified Bank of America about the data breach Nov. 24. 

A Bank of America spokesperson told Banking Dive, “[y]ou should reach out to Infosys McCamish. We’re declining to comment.”

IMS provides services for deferred compensation plans. The company retained a third-party forensic firm to investigate and assist with the recovery plan following the security incident. The notice said the firm did not find any “evidence of continued threat actor access, tooling, or persistence in the IMS environment."

LockBit claimed responsibility for the IMS attack Nov. 4 and said more than 2,000 systems were encrypted.

Cyberattacks have long affected financial institutions, leading the Federal Deposit Insurance Corp., the Office of the Comptroller of the Currency and the Federal Reserve to require banks to report incidents to their primary regulator within 36 hours, if it’s determined the incident could disrupt business or the stability of the financial sector.

The Federal Trade Commission has called for nonbanking financial institutions to report data breaches and other cybersecurity-related events no later than 30 days after discovering the breach affecting at least 500 consumers.

“Third-party breaches continue to plague organizations,” Ray Kelly, a fellow at Synopsys Software Integrity Group, told Banking Dive via email. “Ensuring the trust chain between organizations, while not a simple task, is essential to protecting consumers’ private information.”

Filed Under: Commercial, Risk

Editors' picks

  • Michael Barr, the Federal Reserve's vice chair for supervision, speaks during a congressional hearing, while sitting next to Martin Gruenberg, chair of the FDIC and Michael Hsu, acting comptroller of the currency
    Image attribution tooltip
    Kevin Dietsch / Staff via Getty Images
    Image attribution tooltip

    Did regulators send warning shot at already roiled BaaS space?

    It’s clear the Synapse debacle was on regulators’ minds when they issued last week’s statement highlighting risks associated with banks’ third-party partnerships, analysts said.

    By Caitlin Mullen • July 31, 2024
  • JPMorgan Chase building signage in New York City
    Image attribution tooltip
    Michael M. Santiago / Staff via Getty Images
    Image attribution tooltip

    JPMorgan, Zelle may have upper hand if litigation ensues

    If the banks that own Zelle’s parent battle the Consumer Financial Protection Bureau in court, they may find some federal judges open to their arguments, said lawyers specializing in the area.

    By Patrick Cooley • Aug. 16, 2024

Company Announcements

View all | Post a press release
Zingly Announces a Proven, Safe-AI Solution for Banks and Financial Institutions to Drive Reve…
From Zingly.ai
October 28, 2024
Bank Midwest Partnership with Newgen Continues to Amplify its Digital Banking Capabilities
From Newgen Software
October 24, 2024
Agent IQ and Narmi Announce Strategic Partnership to Improve Digital Banking Experiences
From Narmi
October 31, 2024
Celonis AgentC: Making AI Agents Work for the Enterprise with Process Intelligence
From Celonis
October 23, 2024
Editors' picks
  • Michael Barr, the Federal Reserve's vice chair for supervision, speaks during a congressional hearing, while sitting next to Martin Gruenberg, chair of the FDIC and Michael Hsu, acting comptroller of the currency
    Image attribution tooltip
    Kevin Dietsch / Staff via Getty Images
    Image attribution tooltip

    Did regulators send warning shot at already roiled BaaS space?

    It’s clear the Synapse debacle was on regulators’ minds when they issued last week’s statement highlighting risks associated with banks’ third-party partnerships, analysts said.

    By Caitlin Mullen • July 31, 2024
  • JPMorgan Chase building signage in New York City
    Image attribution tooltip
    Michael M. Santiago / Staff via Getty Images
    Image attribution tooltip

    JPMorgan, Zelle may have upper hand if litigation ensues

    If the banks that own Zelle’s parent battle the Consumer Financial Protection Bureau in court, they may find some federal judges open to their arguments, said lawyers specializing in the area.

    By Patrick Cooley • Aug. 16, 2024
Latest in Commercial
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell