Skip to main content
close search
site logo

Bank of America customer data exposed in IT provider breach

A threat actor compromised Infosys McCamish Systems in November, affecting more than 57,000 Bank of America customers.

Published Feb. 13, 2024
Rajashree Chakravarty's headshot
Reporter
bank of america flag waving in Charlotte
A flag flies outside the Bank of America Corporate Center in Charlotte, North Carolina. Davis Turner/Stringer via Getty Images

Correction: An earlier version of this story credited the incorrect source for the notification letter. The letter is from Bank of America’s outside counsel.


A November 2023 “cybersecurity event” at Infosys McCamish Systems exposed Bank of America customer data, according to a breach notification letter from the bank’s outside counsel filed with the Office of the Maine Attorney General.

Customers’ first and last names, addresses, business email addresses, dates of birth and Social Security numbers may have been among the compromised information. Bank of America said it was “unlikely that we will be able to determine with certainty what personal information was accessed.”

A threat actor compromised IMS systems around Nov. 3, taking some IMS applications offline, Bank of America said in its letter. Bank of America said 57,028 customers were affected by the incident.

IMS notified Bank of America about the data breach Nov. 24. 

A Bank of America spokesperson told Banking Dive, “[y]ou should reach out to Infosys McCamish. We’re declining to comment.”

IMS provides services for deferred compensation plans. The company retained a third-party forensic firm to investigate and assist with the recovery plan following the security incident. The notice said the firm did not find any “evidence of continued threat actor access, tooling, or persistence in the IMS environment."

LockBit claimed responsibility for the IMS attack Nov. 4 and said more than 2,000 systems were encrypted.

Cyberattacks have long affected financial institutions, leading the Federal Deposit Insurance Corp., the Office of the Comptroller of the Currency and the Federal Reserve to require banks to report incidents to their primary regulator within 36 hours, if it’s determined the incident could disrupt business or the stability of the financial sector.

The Federal Trade Commission has called for nonbanking financial institutions to report data breaches and other cybersecurity-related events no later than 30 days after discovering the breach affecting at least 500 consumers.

“Third-party breaches continue to plague organizations,” Ray Kelly, a fellow at Synopsys Software Integrity Group, told Banking Dive via email. “Ensuring the trust chain between organizations, while not a simple task, is essential to protecting consumers’ private information.”

Filed Under: Commercial, Risk

Editors' picks

  • Michael Barr, the Federal Reserve's vice chair for supervision, speaks during a congressional hearing, while sitting next to Martin Gruenberg, chair of the FDIC and Michael Hsu, acting comptroller of the currency
    Image attribution tooltip
    Kevin Dietsch / Staff via Getty Images
    Image attribution tooltip

    Did regulators send warning shot at already roiled BaaS space?

    It’s clear the Synapse debacle was on regulators’ minds when they issued last week’s statement highlighting risks associated with banks’ third-party partnerships, analysts said.

    By Caitlin Mullen • July 31, 2024
  • Two people use Capital One ATMs. A sign above them reads "Check your (inner) balance"
    Image attribution tooltip
    Joe Raedle / Staff via Getty Images
    Image attribution tooltip

    Capital One warns of possible CFPB enforcement action

    The bureau notified the lender last month it’s considering action after customers sued Capital One, claiming it never told savings account holders they could get a higher yield if they switched to another product.

    By Caitlin Mullen • Nov. 1, 2024

Company Announcements

View all | Post a press release
interface.ai Reinforces AI Leadership in Financial Services with Industry-Unique Device Biomet…
From Jordan Mitchell
November 21, 2024
Cross Border Payment Solutions Launches to Help Business Take Control of International Finance
From Cross Border Payment Solutions
November 18, 2024

Want to share a company announcement with your peers?

Get started

Editors' picks
  • Michael Barr, the Federal Reserve's vice chair for supervision, speaks during a congressional hearing, while sitting next to Martin Gruenberg, chair of the FDIC and Michael Hsu, acting comptroller of the currency
    Image attribution tooltip
    Kevin Dietsch / Staff via Getty Images
    Image attribution tooltip

    Did regulators send warning shot at already roiled BaaS space?

    It’s clear the Synapse debacle was on regulators’ minds when they issued last week’s statement highlighting risks associated with banks’ third-party partnerships, analysts said.

    By Caitlin Mullen • July 31, 2024
  • Two people use Capital One ATMs. A sign above them reads "Check your (inner) balance"
    Image attribution tooltip
    Joe Raedle / Staff via Getty Images
    Image attribution tooltip

    Capital One warns of possible CFPB enforcement action

    The bureau notified the lender last month it’s considering action after customers sued Capital One, claiming it never told savings account holders they could get a higher yield if they switched to another product.

    By Caitlin Mullen • Nov. 1, 2024
Latest in Commercial
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell