The Bank of America has issued a warning to customers regarding a potential data breach after a service provider, Infosys McCamish Systems (IMS), was hacked. This security breach occurred in November of 2023 when an unauthorized third party accessed the systems of IMS. Affected customers had personally identifiable information exposed, including names, addresses and Social Security numbers. Financial data such as account numbers and credit card numbers also may have been leaked.

The Bank of America has not yet revealed how many users were affected by the data breach. However, a letter filed with the Attorney General of Maine disclosed that 57,028 individuals were impacted. 

This cybersecurity incident emphasizes the importance of securing customer data. Security leaders share their thoughts on this data breach and discuss how financial institutions and other organization can better safeguard customer data.

Security leaders weigh in

Al Lakhani, CEO of IDEE:

“Protecting the supply chain is critical. Especially when they can cause these kinds of attacks. Therefore, relying on first generation MFA that requires two devices and lacks the capability to prevent credential phishing attacks is a non-starter. To fortify supply chains effectively, they must be protected using next-generation MFA solutions, which protect against credential, phishing and password-based attacks, including adversary-in-the-middle attacks by using same device MFA.”

Oz Alashe MBE, CEO of CybSafe:

“The impact of the data breach at Infosys McCamish Systems (IMS) on the Bank of America emphasizes how increasingly connected the financial services are becoming as the sector continues to digitize. While the benefits of these processes are clear, institutions are increasingly trusting third-party organizations with customer data. Cybersecurity is not an ‘in-house’ issue, but one dependent on a series of organizations, from IT vendors and payment providers to cloud services and software platforms. Financial institutions and their partners must move beyond compliance and tick-box exercises, fostering an active security consciousness that encourages positive security behaviors.”

Ray Kelly, Fellow at Synopsys Software Integrity Group: 

“Third party breaches continue to plague organizations. Just last year, there were several cases of a zero-day exploit in the MOVEit file transfer service that is used heavily by third party vendors. This issue caused massive amounts of stolen data from large organizations and even the US Government. Ensuring the trust chain between organizations, while not a simple task, is essential to protecting consumers’ private information.”