Bank of America has alerted customers to a leak of sensitive data due to a ransomware attack violated the environment at technology partner Infosys McCamish Systems (IMS) last fall. It is an incident that once again highlights the importance of protecting access to data and environments through third-party systems.
At least 57,028 customers were affected by the breach, which occurred when “an unauthorized third party gained access to IMS systems, resulting in the unavailability of some IMS applications,” according to a report data breach disclosure form filed in Maine by IMS, ea separate letter (PDF) sent on behalf of Bank of America to affected customers. The financial institution serves approximately 69 million customers in more than 35 countries around the world.
The form and letter offer different timelines for when the violation occurred. The disclosure firm says it happened on October 29, while IMS discovered it the next day. The letter says it occurred “on or about November 3.”
Regardless, the attack rendered unavailable some unspecified systems in the technology environment of IMS, which provides solutions and services for managing insurance processes. The attack also exposed sensitive data — including combining people’s names or other personal identifiers with their Social Security numbers — from Bank of America’s deferred compensation plans, for which the company provides services.
However, IMS noted that “it is unlikely that we will be able to determine with certainty what personal information was accessed as a result of this incident,” although it “may have included” not only people’s names and SSNs, but also addresses, company data email addresses, dates of birth and other account information.
LockBit claims responsibility
A few days later, on November 4th, the LockBit ransomware gang posted an ad for sale of stolen data on its Dark Web site claiming to come from more than 2,000 IMS systems that were encrypted by the threat actor in an attack, according to a screenshot posted by @DarkWebInformer on X, formerly Twitter, and reported a published report. The post noted a Nov. 9 deadline for the company to pay the ransom before publishing the leaked data. It is not clear at the moment whether this occurred or whether the ransom was paid.
IMS notified Bank of America on Nov. 24 that data related to deferred compensation plans served by the bank may have been compromised, although Bank of America’s systems were not affected by the breach.
IMS retained a forensics firm to investigate and assist in the company’s recovery plan in response to the incident, “which included containment and remediation of malicious activity, rebuilding systems and improving response capabilities,” it said the company in its letter to customers.
“To date, IMS has found no evidence of threat actors’ continued access, tools, or persistence in the IMS environment,” according to IMS.
Bank of America said it was not aware that the data exposed in the breach had been misused. Despite this, the bank is offering affected customers a free two-year subscription to an identity theft protection service provided by Experian IdentityWorks to help them protect their data.
Neither IMS nor Bank of America immediately responded to requests for comment on the Feb. 13 incident.
Third-party cyber risk management
Access to a company’s data through that company’s partner or customer has become all too common for organizationsboth security experts and technology vendors have offered a number of suggestions and solutions for this third-party exposure, including risk management AND risk assessment strategies – to mitigate these threats.
However, the problem persists, proving that “the complexity of a typical organization’s digital landscape, which completely protects against all forms of risk, is nearly impossible,” notes Roger Neal, product manager at Apona Security., in an email to Dark Reading.
He suggests that organizations consider not only risk management or assessment solutions, but also require a software bill of materials (SBOM) from all third-party vendors to better assess and manage vulnerabilities so you can take control before an attack even occurs.
“While the specifics of the breach… have yet to be fully disclosed, it is possible that early detection of vulnerable components may have mitigated or prevented this incident,” Neal speculates.
Another potential strategy to protect against such breaches could be to “require third-party services to be hosted on-premise, thereby providing greater control over access to sensitive customer information,” he adds.