3rd Party Risk Management , Breach Notification , Fraud Management & Cybercrime

Hack at Software Services Firm Affects 57,000 BoA Customers

InfoSys McCamish Says Incident Involved BoA's Deferred Compensation Plan Customers
Hack at Software Services Firm Affects 57,000 BoA Customers
More than 57,000 Bank of America deferred compensation plan customers were affected by a November hack at services firm InfoSys McCamish. (Image: Bank of America)

Bank of America is notifying more than 57,000 customers that their Social Security numbers and other personal information was potentially compromised in a hacking incident last November at insurance software firm InfoSys McCamish Systems.

See Also: OnDemand | Overcoming the Limitations of Addressing Insider Threat in Banking: Real Solutions for Real Security Challenges

IMS provides services for deferred compensation plans, including those serviced by the Charlotte, North Carolina-based Bank of America.

In a breach report submitted Feb. 2 by an external attorney, Bank of America told Maine's attorney general that on or around Nov. 3, 2023, IMS had experienced "a cybersecurity event" resulting in the "non-availability of certain IMS applications."

Bank of America was notified of the situation on Nov. 24, and no bank systems were compromised in the incident, the report said.

"In response to the security incident, IMS retained a third-party forensic firm to investigate and assist with IMS's recovery plan, which included containing and remediating malicious activity, rebuilding systems and enhancing response capabilities," according to a sample breach notification letter provided to the Maine regulators.

"To date, IMS has found no evidence of continued threat actor access, tooling or persistence in the IMS environment."

The notice said IMS is "unlikely" to determine with certainty what personal information was accessed as a result of this incident. But according to IMS' records, potentially compromised deferred compensation plan information includes Bank of America customers' first and last names, addresses, business email addresses, birthdates, Social Security numbers and other account information.

Bank of America is offering affected individuals two years of complimentary identity and credit monitoring services.

A Bank of America spokesperson declined Information Security Media Group's request for comment and referred ISMG to InfoSys McCamish.

IMS did not immediately respond to ISMG's request for additional details about the breach, including the type of hacking incident, whether it involved ransomware and if any other IMS customers - besides BoA's - were affected.

IMS, which is an Atlanta-based subsidiary of InfoSys BPM Limited, filed a notice with the U.S. Securities and Exchange Commission on Nov. 3 to report a cybersecurity incident involving "non-availability" of certain IMS systems and applications.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.