Bank of America wasn't directly targeted in a recent cyber attack, it was just "hit in the crossfire"

Bank of America corporate logo and branding pictured on a branch in Times Square on December 30, 2023, in New York City
(Image credit: Getty Images)

A cyber security incident at Bank of America which saw the financial services firm issue a customer alert over data exposure underlines the continued threats faced by firms through supply chain weaknesses, according to security experts. 

Bank of America informed customers that their data may have been leaked after one of its suppliers had its systems breached.

According to the data breach notification, 57,028 people were affected by an incident at Infosys McCamish Systems (IMS), which provides services for deferred compensation plans to Bank of America.

Although it’s not clear what data was accessed, the deferred compensation plan information may have included first and last names, addresses, business email addresses, dates of birth, social security numbers, and other account information.

Infosys confirmed an incident had taken place in November. A sample letter attached to the data breach notification, posted on the website of the state of Maine Attorney General’s office, said that on or around November 3 last year IMS was “impacted by a cyber security event” when an unauthorized third party accessed its system.

IMS told Bank of America that data pertaining to deferred compensation plans serviced by Bank of America may have been compromised. Bank of America’s systems were not compromised.

The letter said IMS has found no evidence of “continued threat actor access, tooling, or persistence in the IMS environment,” although it acknowledged that it was unlikely that it would be able to determine with certainty what personal information was accessed as a result of the incident.

Bank of America type incidents are "becoming more frequent"

Brian Boyd, head of technical delivery at cyber security and risk consultancy i-confidential said that while Bank of America was not the target of this attack, it was still “hit in the crossfire”, which should serve as a potent reminder of the pervasive supply chain risks faced by organizations globally. 

“These types of incidents are becoming more frequent today,” he said.

Last year, some Bank of America customers also received data breach warning letters after EY found that files had been compromised due to a vulnerability in the MOVEit Transfer software it used.

EY provides consultancy and tax advisory services to Bank of America. Many other companies who had used the MOVEit software also lost data.

“MOVEit was undoubtedly the attack that dominated media headlines in 2023 because it demonstrated the devastating impact of supply chain breaches,” Boyd said. “Criminals only need to find one gap in the chain. They can then access hundreds of organizations’ networks by pivoting from one company to the next.”

“Attackers are now favoring these types of assaults because they provide maximum return with often minimal effort,” he added.

Boyd said that when it comes to protecting against supply chain incidents, organizations must ensure they hold an inventory of all their suppliers, and understand the inherent risks associated with each of them.

To bolster this, organizations should also consider how they and third parties share information or connectivity Boyd said.

Breaches like these show the challenges for all businesses. While they can control what happens in their own systems, they are always going to be part of a wider ecosystem of suppliers. As interconnected supply chains continue to grow, so does reliance on the systems of other companies.

Steve Ranger

Steve Ranger is an award-winning reporter and editor who writes about technology and business. Previously he was the editorial director at ZDNET and the editor of