Bank of America has disclosed the company had a massive data breach in late 2023.
In November of 2023, Infosys McCamish, a subsidiary of India-based technology company Infosys, which provides business technology-related services, experienced a large data breach. Infosys McCamish (aka Infosys Limited) filed a letter with the US Securities and Exchange Commission regarding the cyberattack but provided little additional details. The event resulted in some systems and applications becoming unavailable.
Ultimately, Infosys McCamish restored all impacted systems by December 31st but disclosed the company had experienced losses of approximately $30 million and expected additional claims to arise.
In response to the attack, McCamish conducted an investigation that determined data had been exfiltrated during the incident, although the investigation is ongoing. While McCamish has not revealed further information, Russian-based cybercrime organization Lockbit took credit for the attack.
Now, Bank of America (BOA) has begun sending breach notification letters, stating that Infosys McCamish provided services to BOA and had access to personal data.
BOA is sending letters to approximately 57,000 customers. In a filing with the Maine Attorney General, BOA stated the company was unable to determine what information was specifically exfiltrated. They believe the information may have included:
While letters to impacted customers were released beginning February 1st, the letter itself said Bank of America was told they had been part of the compromise on November 24th of 2023.
In response, BOA is offering impacted customers complimentary identity theft protection services for two years.
In a statement regarding the Infosys McCamish breach, the company said, “McCamish believes that certain data was exfiltrated by unauthorized third parties during the incident and this exfiltrated data included certain customer data.”
In the letter to patients from BOA, the bank said, “It is unlikely that we will be able to determine with certainty what personal information was accessed as a result of this incident at IMS.”
The letter further stated that the company was not currently aware of any misuse of information.
For those who have never heard of Infosys, being impacted by their data breach may be a large and unwelcome surprise. While Infosys did not reveal the exact cause of the breach, we do know it was related to hacking. Studies show that nearly 91% of data breaches result from phishing attempts. With increasingly sophisticated attack efforts, it’s more important now than ever for companies to develop resilient and stringent cybersecurity practices.
Related: HIPAA Compliant Email: The Definitive Guide