Third-party cyber-attacks continue to pose a significant threat to organizations worldwide, as evidenced by the recent breach at Bank of America. The multinational investment banking and financial services corporation recently notified customers that a November 2023 hack against one of its service vendors resulted in the exposure of personally identifiable information (PII).
The breach occurred after a security incident against Infosys McCamish Systems (IMS), a subsidiary of Infosys that provides deferred compensation plan services to Bank of America. According to the IMS notification letter filed with the Maine Attorney General, an unauthorized third party accessed IMS systems, resulting in the non-availability of certain IMS applications.
While only 57,028 of Bank of America’s millions of customers were directly impacted in the breach, the PII exposed included sensitive information such as Social Security Numbers, credit card and account numbers, names, and addresses. This incendiary mix of data could potentially be leveraged by threat actors to launch social engineering attacks against the affected individuals.
Subsequently, IMS notified Bank of America that data relating to their customers may have been exposed, and the infamous ransomware gang, LockBit, claimed responsibility for encrypting over 2,000 IMS systems in the attack on the same day.
“Vendor risk is continuing to become more of a concern,” commented Erich Kron, Security Awareness Advocate at KnowBe4. He emphasized the importance of establishing policies and procedures related to the protection of shared data and ensuring that contracts define what information is being processed and retained.
Interestingly, this is not the first time Bank of America has been impacted by a third-party cyber-attack. In May 2023, Ernst & Young, an accounting firm providing services to the bank, was hacked by the Cl0p ransomware gang through the MOVEit file transfer zero-day exploit. This incident also resulted in the exposure of personal data belonging to Bank of America customers.
The fallout from the MOVEit hack had a significant impact on third-party vendors and their customers. Ray Kelly, a fellow at the Synopsys Software Integrity Group, stressed the importance of ensuring a trust chain between organizations to protect consumers’ private information.
Hackers have exploited the vulnerability of third-party vendors in the supply chain, targeting organizations with less mature cybersecurity protocols. Tom Kellermann, SVP of Cyber Strategy at Contrast Security, emphasized the need for regulators to mandate higher standards of cybersecurity for shared service providers.
However, this does not absolve organizations like Bank of America from responsibility. They must ensure that data is being handled by vendors in a manner that prioritizes cybersecurity. Erfan Shadabi, a cybersecurity expert with comforte AG, highlighted the need for financial institutions to adopt a proactive approach to cybersecurity by embracing continuous monitoring and threat intelligence capabilities.
Al Lakhani, CEO of IDEE, emphasized the critical importance of protecting the supply chain, especially when they can cause such attacks. He recommended the use of next-generation multifactor authentication (MFA) solutions to fortify supply chains effectively.
Darren James, a Senior Product Manager at Specops Software, recommended conducting appropriate risk assessments when outsourcing services to third parties that handle sensitive information. He provided a series of questions to consider when risk assessing third parties, covering aspects such as password security, regulatory compliance, and disaster recovery policies.
Sean McNee, VP of Research and Data at DomainTools, highlighted the interconnected nature of running business online and the unique challenges it poses in defending against supply chain attacks. He urged consumers to remain vigilant, alert, and proactive in response to such events.
In conclusion, the breach at Bank of America serves as a stark reminder of the ongoing threats posed by third-party cyber-attacks. Organizations must remain diligent in their efforts to protect sensitive data and ensure that their third-party vendors adhere to robust cybersecurity standards. Likewise, consumers must take proactive measures to safeguard their information and mitigate the long-term impacts of such breaches.