More than 57,000 Bank of America accounts were compromised following a data breach by an unauthorized third party at financial software provider Infosys McCamish Systems (IMS) last autumn, officials have said.
The breach was discovered one day later, officials said, and consumers were informed on Feb. 1.
Names and other personal identifiers, including addresses, business email addresses, dates of birth, and Social Security numbers were exposed during the system breach, according to a letter IMS sent to potentially impacted customers.
However, the letter notes that “it is unlikely that we will be able to determine with certainty what personal information was accessed as a result of this incident at IMS.”
The letter also specifies that affected customers held deferred compensation plans serviced by Bank of America. Examples of deferred compensation plans include pensions, 401(k) retirement plans, and employee stock options.
No ‘Misuse’ Involving Stolen Data
In contrast to the data breach disclosure form, the letter says that the “cybersecurity event” occurred “on or around” Nov. 3.The company said it informed Bank of America on Nov. 24 that data concerning deferred-compensation plans serviced by the bank may have been compromised but stressed that Bank of America’s systems were not affected by the breach.
“In response to the security incident, IMS retained a third-party forensic firm to investigate and assist with IMS’s recovery plan, which included containing and remediating malicious activity, rebuilding systems, and enhancing response capabilities,” the letter states. “To date, IMS has found no evidence of continued threat actor access, tooling, or persistence in the IMS environment.”
In its letter to potentially impacted customers, the financial software provider said it is currently not aware of any misuse involving the stolen information involved in the breach.
Cybercriminals Threaten to Publish Data
In the meantime, IMS is recommending that impacted Bank of America customers review their credit reports and account statements over the next 24 months and notify their financial institution of any unauthorized transactions or incidents of suspected identity theft.“We regret any concern or inconvenience this incident at IMS may cause you,” the letter to impacted customers concludes.
While neither Bank of America nor IMS stated who was behind the data breach, ransomware operator LockBit claimed responsibility for the hack in November last year.
The cybercriminal group also threatened to publish all of the available data by Nov. 9 unless a ransom was paid. They noted that IMS had offered $50,000 for the stolen data.
It is not clear why IMS and Bank of America notified customers of the breach outside of the 30-day period.
Bank of America declined to comment. The Epoch Times has contacted a spokesperson for IMS for comment.
