Bank of America (BoA) has sent notification letters to customers impacted by a third-party breach that the LockBit ransomware group claimed responsibility for last fall of BoA business partner Infosys McCamish Systems (IMS).
In a data breach notification filed Feb. 6 with the Attorney General of Texas, BoA said sensitive information was accessed by the threat actor, including names, Social Security numbers, financial account information, addresses, and dates of birth.
While it’s still unclear how many people were impacted, a filing by BoA with the Maine Attorney General said 57,028 people were impacted.
A letter from IMS to those affected also said that on or around Nov. 3, IMS experienced a cyberattack and it told BoA by Nov. 24 that data concerning “deferred compensation plans” serviced by BoA may have been compromised.
Efforts to reach BoA about the nature of the deferred compensations plans were unsuccessful.
Deferred compensation plans typically are informal and done for top executives who can afford to defer their incomes. Most rank-and-file employees participate in 401K plans, which are considered qualified deferred compensation plans where a formal account exists.
This was the second time in as many days that LockBit has figured in cybersecurity news. Yesterday, SC Media reported that LockBit figured in a cyberattack on Planet Home Lending. LockBit has been known since 2019 and has been involved in other high-profile attacks on the UK Royal Mail, the city of Oakland, and the Italian Internal Revenue Service. BoA, the subject of today's news, is the second-largest bank in the U.S. with more than 212,000 employees and $101 billion in annual revenue.
Unfortunately, BoA has been involved in an incident showcasing the risks and significance of third-party risk management, said Roger Neal, head of product at Apona Security. Neal said given the complexity of a typical organization's digital landscape, completely protecting against all forms of risk has become close to impossible, as evidenced by the recent BoA breach.
“This situation highlights the critical need for software bills of materials (SBOMs) from all vendors to better assess and manage vulnerabilities,” said Neal. “While the breach's specifics, involving a third-party vendor, are yet to be fully disclosed, it's possible that early detection of vulnerable components might have mitigated or prevented this incident.”
The breach notification highlights the need for more stringent third-party access governance controls, continuous monitoring, and robust threat detection and response strategies to safeguard against such attacks, said Piyush Pandey, chief executive officer at Pathlock. Pandey said the BoA incident also reflects the broader trend of cybercriminals exploiting third-party vulnerabilities to target major organizations, necessitating a more comprehensive and proactive approach to access controls across all levels of the supply chain.
“Given how highly regulated the financial sector is with regards to data protection and privacy, ensuring that third-party vendors comply with these regulations is crucial, but challenging,” noted Pandey.
Lorri Janssen-Anessi, director of external cyber assessments at BlueVoyant, added that companies that are victims of a third-party data breach must force a password change for the compromised accounts and update any security measures that could have been lacking, and therefore resulted in the compromise.
From a customer/client perspective, Janssen-Anessi said teams must understand the extent and details of the compromise of the PII, change passwords of accounts related to the compromise, and monitor accounts for any unexpected activity, including any other accounts that could be compromised using PII data.
“A good place to start is to monitor your credit bureau information,” said Janssen-Anessi. “Cyber threat actors will continue to target financial organizations because the data can be very lucrative. It’s important that financial organizations require stringent cybersecurity practices for any third-party organizations that store or use their customers' data.”