A cybersecurity incident at Infosys McCamish Systems LLC (IMS), the US arm of Indian tech services giant Infosys, has resulted in a data breach impacting over 57,000 Bank of America (BofA) customers. IMS provides services to BofA’s deferred compensation plans.
In a November 3, 2023 filing, Infosys reported that IMS – which delivers BofA’s wealth management offerings – suffered a breach that led to “non-availability of certain applications and systems.” A notification submitted by BofA’s attorney in Maine this week revealed IMS as the source, with hackers gaining access to personal information like names, addresses, birth dates, email addresses, social security numbers and more.
The breach leaked data of BofA customers enrolled in deferred compensation plans, including private pensions, retirement accounts and stock options, which typically contain confidential personal and financial data. BofA has sent letters to impacted customers, but said it may not be able to determine the full extent of accessed information. This could enable fraudsters to commit identity theft using the leaked data.
Customers Face Identity Theft Risk, Offered Monitoring While BofA confirmed its own systems were not compromised, the access of customers’ sensitive personal information via IMS leaves them vulnerable to identity theft and fraud. The bank is offering impacted customers identity protection services for two years.
However, experts warn that leaked social security numbers could be used by criminals throughout victims’ lifetimes. Together with other breached data, fraudsters could open fraudulent accounts and make unauthorized purchases under customers’ names. This may permanently damage victims’ credit profiles if undetected. Customers have been advised to vigilantly monitor accounts and report any suspicious activity.
The breach further highlights risks surrounding third-party vendors handling sensitive consumer data. It underscores the need for robust cybersecurity policies and controls at both banks and their partner firms to safeguard customers’ personal information.