Close up hands typing keyboard on laptop showing third party data breach

Third Party Data Breach Hits Bank of America, At Least 57,000 Records of Sensitive Personal Information Exposed

Personal and financial information for at least 57,000 parties doing business with Bank of America was exposed in a third party data breach in late October of last year, according to a statement by the Attorney General of Texas and a new breach report filing with the Attorney General of Maine.

Infosys McCamish Systems (IMS), an insurance process management services provider, is the third party that was compromised and the source of the Maine breach filing. Many key details of the breach have yet to emerge. The Maine report claims that just 57,028 people were directly impacted, and a breach report notification letter indicates that the exposure was limited to customers holding a deferred compensation plan serviced by the bank.

Extent of third party data breach impact to Bank of America customers remains unclear

Most of the currently available information about the third party data breach comes from IMS’s mandatory filing in Maine, where it says that 93 state residents were impacted. The notification reveals that the breach took place on October 29 of last year and was discovered the following day, and has been attributed to outside hacking. Impacted parties began to receive written notifications earlier this month, and have been offered 24 months of a free identity theft protection service from Experian.

It would appear that most of the estimated 6.9 million customers of the bank do not yet have a solid reason to worry. The news is much worse for those with a deferred compensation plan associated with the bank, however (a 401k alternative retirement option generally offered to executives and management-level employees). A statement by the Attorney General of Texas, where there appears to have been a similar but non-public filing, indicates that a broad range of sensitive information may have been accessed by the hackers: bank account and credit card numbers, Social Security numbers, dates of birth and extensive contact information. IMS claims that it cannot say with certainty exactly how much of this was accessed by the attackers.

The ransomware gang LockBit claimed responsibility for the third party data breach (a total of about 50GB) on November 4 via its dark web portal, threatening to release the stolen data by November 8 if not paid an unknown demand amount. The notification indicated that IMS made a counter-offer of $50,000 USD, which the group responded to with a “laughing” emoji. It also offered to sell the stolen data to interested bidders, with a requested starting bid of $500,000 USD. The gang also claimed to have encrypted over 2,000 of IMS’s computers during the attack. It remains unknown if IMS paid the ransom or if the data ended up being leaked.

Al Lakhani, CEO of IDEE, notes that while the technical details of the breach have yet to emerge, the incident highlights the role MFA has to play in preventing third party data breaches: “Protecting the supply chain is critical. Especially when they can cause these kinds of attacks. Therefore, relying on first generation MFA that requires two devices and lacks the capability to prevent credential phishing attacks is a non-starter. To fortify supply chains effectively, they must be protected using next-generation MFA solutions, which protect against credential, phishing and password-based attacks, including adversary-in-the-middle attacks by using same-device MFA.”

John Bambenek, President at Bambenek Consulting, sees logging and monitoring as the key: “IT management firms have always been a lucrative target for a variety of threat actors because they have trusted access to several customers, and since they are managing systems already, attackers can discretely make changes that allow them to carry out their attacks. The key takeaway here is that organizations need to find a way to discover quickly when their MSPs are engaging in abnormal activity so they can investigate and remediate the attacks quick before they have to contend with breach notification letters.”

Oz Alashe MBE, CEO of CybSafe, adds that this sort of thinking must necessarily expand to all cybersecurity decisions: “While the benefits of these processes are clear, institutions are increasingly trusting third-party organizations with customer data. Cybersecurity is not an ‘in-house’ issue, but one dependent on a series of organizations, from IT vendors and payment providers to cloud services and software platforms. Financial institutions and their partners must move beyond compliance and tick-box exercises, fostering an active security consciousness that encourages positive security behaviors.”

Continuing lack of transparency for data breaches highlighted by IMS incident

The IMS third party data breach serves as an illustration of how relatively far behind US law is on transparency and mandatory disclosures. What little information is available to the public some three months after the breach only became broadly available because of Maine’s data privacy laws, which require notifications to victims within 30 days of discovery of a breach. That law does allow a delay if a law enforcement investigation deems it necessary, though it is not clear if that was what happened in this case.

Bank of America sells the impacted deferred compensation plans to a variety of employers, and one of the big questions that remains is exactly which employers are impacted by the third party data breach. It is also unclear if IMS is experiencing ongoing business interruption due to the ransomware. The fact that a public dump of the stolen information by LockBit cannot be located or verified would point toward some sort of ransom payment being worked out, which in turn would point to a decryption key being provided to the company, but IMS has not issued any further comment on the incident as of yet. Bank of America would only say that it is “not aware” of any misuse of the information that was exposed.

LockBit has now been active for several years and continues to be a leading threat. A US government report from mid-2023 found that the group was responsible for at least 1,700 attacks worldwide over its lifetime and had stolen over $91 million from US companies alone. The group keeps developing new iterations of its malware, which it attaches version numbers to as a branding exercise. It also heavily targets Brazil and India in addition to the US, and has also shown a preference for infrastructure and manufacturing companies. It is also somewhat anomalous in that it is one of the few major ransomware groups that seems to show a preference for small-to-medium targets, with a 2022 Trend Micro study finding that it only targets large enterprises about 19.5% of the time. This strategy may have helped contribute to its longevity as larger competitors have gotten their names in the news too much and attracted the special attention of coordinated international law enforcement operations.

Piyush Pandey, CEO at Pathlock, notes that some of this may be attributable to a specific focus on finding small members of the supply chain that open up the possibility of a third party data breach of a much larger target: “The interconnectedness and complexity of supply chains in the financial sector increases the difficulty of managing and securing third-party access. This breach notification highlights the need for more stringent third-party access governance controls, continuous monitoring, and robust threat detection and response strategies to safeguard against such attacks. This incident also reflects the broader trend of cybercriminals exploiting third-party vulnerabilities to target major organizations, necessitating a more comprehensive and proactive approach to access controls across all levels of the supply chain. Given how highly regulated the financial sector is with regards to  data protection and privacy, ensuring that third-party vendors comply with these regulations is crucial, but challenging.”

Tom Kellermann, SVP of Cyber Strategy at Contrast Security, sees this as an issue for regulators to prioritize due to the threat level: “Cybercriminals are launching island hopping attacks against the shared service providers in the financial sector. By targeting these less secure vendors they can successfully compromise major banks. The regulators must mandate higher standards of cybersecurity for shared service providers.”

As to what Bank of America customers can do to protect themselves, Sean McNee (VP of Research and Data at DomainTools) advises: “It’s crucial for customers to take immediate steps to protect their information and assets. Update your banking passwords immediately. Make sure to use strong, unique passwords. If your bank offers two-factor authentication (2FA), make sure to enable it. Keep a close eye on your accounts for any unauthorized transactions or suspicious activity. If you notice anything unusual, report it to your bank. The kind of data leaked in this attack is ripe for abuse. Be cautious of emails, calls, or texts asking for personal information or claiming to be from your bank. Always verify the source before providing any information. Consider using credit monitoring services and setting up alerts for changes in your credit report. Stay frosty out there–be vigilant and proactive to protect your personal information.”