Bank of America recently made a warning to its customers about a data breach that occurred due to a ransomware attack at technology partner Infosys McCamish Systems (IMS) last autumn. This attack highlights the importance of securing access to data and environments across third-party systems.

According to a data breach disclosure form and a separate letter sent on behalf of Bank of America, at least 57,028 customers were affected. The breach occurred when an unauthorized third party accessed IMS systems, rendering certain IMS applications unavailable.

The exact timeline of the breach remains unclear, as the disclosure form claims it occurred on Oct. 29, while the letter states it occurred “on or around Nov. 3.” Nevertheless, sensitive data, including individuals’ names, Social Security numbers, addresses, business email addresses, dates of birth, and other account information were exposed from Bank of America deferred-compensation plans.

Following the breach, IMS stated that it was unlikely to determine with certainty what personal information was accessed. However, the company’s response to the incident included containing and remediating malicious activity, rebuilding systems, and enhancing its response capabilities.

Shortly after the breach, the LockBit ransomware gang claimed responsibility by posting an ad for the sale of stolen data on its dark web site. The gang stated that more than 2,000 IMS systems were encrypted in the attack and threatened to post the leaked data if a ransom was not paid. It remains unclear if the ransom was indeed paid.

IMS subsequently informed Bank of America that data concerning deferred-compensation plans serviced by the bank may have been compromised, indicating that Bank of America systems were not affected by the breach. The company is providing affected customers a complimentary two-year membership in an identity theft protection service to help protect their data.

Both IMS and Bank of America have yet to provide any additional comments or statements regarding the incident. This lack of information has raised concerns about the potential misuse of exposed data.

Accessing a company’s data through a partner or customer has become common practice and continues to pose a significant risk to organizations. Security experts and technology providers have offered various suggestions and solutions to mitigate these threats, but the complexity of an organization’s digital landscape makes completely protecting against all forms of risk nearly impossible.

Some experts suggest demanding a software bill of materials (SBOM) from all third-party vendors to better assess and manage vulnerabilities. Early detection of vulnerable components might have mitigated or prevented the IMS breach.

Another potential strategy to protect against such breaches could be requiring third-party services to be hosted on-premises, ensuring more control over access to sensitive customer information.

As the investigation into the IMS data breach continues, concerns for the security of customer data remain at the forefront of discussions among financial institutions and their technology partners. The need to secure access to data and environments across third-party systems is a critical priority for organizations worldwide.

Source link