A cyber security incident at Bank of America which saw the financial services firm issue a customer alert over data exposure underlines the continued threats faced by firms through supply chain weaknesses, according to security experts.
Bank of America informed customers that their data may have been leaked after one of its suppliers had its systems breached.
According to the data breach notification, 57,028 people were affected by an incident at Infosys McCamish Systems (IMS), which provides services for deferred compensation plans to Bank of America.
Although it’s not clear what data was accessed, the deferred compensation plan information may have included first and last names, addresses, business email addresses, dates of birth, social security numbers, and other account information.
Fortinet will want to forget last week after botched vulnerability disclosures and a war of words over an electric toothbrush caused chaosMicrosoft and OpenAI warn state-backed threat actors are using generative AI en masse to wage cyber attacksHunter-killer malware is on the rise, and security experts are seriously concerned
Infosys confirmed an incident had taken place in November. A sample letter attached to the data breach notification, posted on the website of the state of Maine Attorney General’s office, said that on or around November 3 last year IMS was “impacted by a cyber security event” when an unauthorized third party accessed its system.
IMS told Bank of America that data pertaining to deferred compensation plans serviced by Bank of America may have been compromised. Bank of America’s systems were not compromised.
The letter said IMS has found no evidence of “continued threat actor access, tooling, or persistence in the IMS environment,” although it acknowledged that it was unlikely that it would be able to determine with certainty what personal information was accessed as a result of the incident.
Bank of America type incidents are "becoming more frequent"
Brian Boyd, head of technical delivery at cyber security and risk consultancy i-confidential said that while Bank of America was not the target of this attack, it was still “hit in the crossfire”, which should serve as a potent reminder of the pervasive supply chain risks faced by organizations globally.
“These types of incidents are becoming more frequent today,” he said.
Last year, some Bank of America customers also received data breach warning letters after EY found that files had been compromised due to a vulnerability in the MOVEit Transfer software it used.
EY provides consultancy and tax advisory services to Bank of America. Many other companies who had used the MOVEit software also lost data.
Discover why endpoint security needs to be part of your zero trust strategy
“MOVEit was undoubtedly the attack that dominated media headlines in 2023 because it demonstrated the devastating impact of supply chain breaches,” Boyd said. “Criminals only need to find one gap in the chain. They can then access hundreds of organizations’ networks by pivoting from one company to the next.”
“Attackers are now favoring these types of assaults because they provide maximum return with often minimal effort,” he added.
Boyd said that when it comes to protecting against supply chain incidents, organizations must ensure they hold an inventory of all their suppliers, and understand the inherent risks associated with each of them.
To bolster this, organizations should also consider how they and third parties share information or connectivity Boyd said.
Breaches like these show the challenges for all businesses. While they can control what happens in their own systems, they are always going to be part of a wider ecosystem of suppliers. As interconnected supply chains continue to grow, so does reliance on the systems of other companies.
