Cybersecurity NewsNewsTech News

Bank of America Raises Alarm Over Data Breach as Vendor Goes Offline


Bank of America is alerting its customers about a data breach that has exposed their personal information following a security incident involving one of its service providers last year.

The compromised customer personally identifiable information (PII) includes names, addresses, social security numbers, dates of birth, and financial details such as account and credit card numbers.

Bank of America caters to approximately 69 million clients through more than 3,800 retail financial centers and around 15,000 ATMs across the United States, its territories, and over 35 countries.

When contacted for further information, a Bank of America spokesperson declined to comment and directed inquiries to Infosys McCamish.

While the bank failed to disclose the exact number of affected customers, Infosys McCamish Systems (IMS), revealed in a recent filing with the Attorney General of Maine that the breach exposed 57,028  individuals’ data

The Breach Did not Affect Bank of America

IMS reported that on or around November 3, 2023, an unauthorized third party accessed its systems, resulting in the non-availability of certain applications. On November 24, 2023, IMS informed Bank of America about the potential compromise of data related to deferred compensation plans serviced by the bank. They clarified that Bank of America’s was not one of the victims of the cyberattack.

IMS expressed uncertainty regarding the specific personal information accessed during the incident.

The security breach resulted in the non-availability of certain applications and systems within IMS, as disclosed in a filing with the U.S. Securities and Exchange Commission. The LockBit ransomware gang claimed responsibility for the attack on IMS, stating that they encrypted over 2,000 systems during the breach.

LockBit, a ransomware-as-a-service (RaaS) operation discovered in September 2019, has targeted numerous prominent organizations worldwide, including the UK Royal Mail, Continental automotive giant, City of Oakland, and the Italian Internal Revenue Service.

In a joint advisory released in June by cybersecurity authorities in the United States and global partners, it was estimated that the LockBit gang extorted at least $91 million from U.S. organizations following approximately 1,700 attacks since 2020.

Infosys, the parent company of IMS, is a multinational IT consulting and services provider with over 300,000 employees and clientele spanning more than 56 countries.