3rd Party Risk Management , Breach Notification , Fraud Management & Cybercrime
Hack at Software Services Firm Affects 57,000 BoA Customers
InfoSys McCamish Says Incident Involved BoA's Deferred Compensation Plan CustomersBank of America is notifying more than 57,000 customers that their Social Security numbers and other personal information was potentially compromised in a hacking incident last November at insurance software firm InfoSys McCamish Systems.
See Also: Netskope FERPA Mapping Guide
IMS provides services for deferred compensation plans, including those serviced by the Charlotte, North Carolina-based Bank of America.
In a breach report submitted Feb. 2 by an external attorney, Bank of America told Maine's attorney general that on or around Nov. 3, 2023, IMS had experienced "a cybersecurity event" resulting in the "non-availability of certain IMS applications."
Bank of America was notified of the situation on Nov. 24, and no bank systems were compromised in the incident, the report said.
"In response to the security incident, IMS retained a third-party forensic firm to investigate and assist with IMS's recovery plan, which included containing and remediating malicious activity, rebuilding systems and enhancing response capabilities," according to a sample breach notification letter provided to the Maine regulators.
"To date, IMS has found no evidence of continued threat actor access, tooling or persistence in the IMS environment."
The notice said IMS is "unlikely" to determine with certainty what personal information was accessed as a result of this incident. But according to IMS' records, potentially compromised deferred compensation plan information includes Bank of America customers' first and last names, addresses, business email addresses, birthdates, Social Security numbers and other account information.
Bank of America is offering affected individuals two years of complimentary identity and credit monitoring services.
A Bank of America spokesperson declined Information Security Media Group's request for comment and referred ISMG to InfoSys McCamish.
IMS did not immediately respond to ISMG's request for additional details about the breach, including the type of hacking incident, whether it involved ransomware and if any other IMS customers - besides BoA's - were affected.
IMS, which is an Atlanta-based subsidiary of InfoSys BPM Limited, filed a notice with the U.S. Securities and Exchange Commission on Nov. 3 to report a cybersecurity incident involving "non-availability" of certain IMS systems and applications.