Data breach affects 57,000 Bank of America accounts

Enjoy complimentary access to top ideas and insights — selected by our editors.

A data breach at Infosys McCamish, a financial software provider, compromised the name, address, date of birth, Social Security number, and other account information of 57,028 deferred compensation customers whose accounts were serviced by Bank of America .

An unauthorized party — apparently a ransomware group known as LockBit — accessed the customers’ information through Infosys McCamish’s system, not Bank of America’s, according to a letter Infosys McCamish sent to affected customers, published by Maine’s attorney general. Bank of America provided standard two-year identity theft protection to the affected customers.

The breach occurred Nov. 3, according to the letter, and Infosys McCamish notified Bank of America about the breach on Nov. 24.

Many states, including Maine, require companies to notify people affected by a data breach within 30 days of the company discovering a breach. Delays may be granted for law enforcement investigations.

Infosys McCamish and Bank of America notified customers of the breach on Feb. 2, which is 90 days after the breach occurred. It is unclear whether any law enforcement investigations delayed notification.

Affected customers held deferred compensation plans serviced by Bank of America. Such plans allow executives and top-earning employees to accrue retirement benefits in a tax-advantaged way beyond what a 401(k) can provide.

These deferred compensation plans represent a “significant asset-gathering opportunity for financial institutions selling into the retirement plans markets,” according to Infosys McCamish. Infosys McCamish provides marketing, plan design, documentation, enrollment and administration for these plans to financial institutions, including to Bank of America.

Bank of America sells deferred compensation plans to employers, according to its website. It is unclear how many employers were affected by the data breach.

A spokesperson for Bank of America declined to comment. Spokespersons for Infosys McCamish did not respond to requests for comment.

LockBit, a ransomware group notorious for its high-profile attacks, claimed responsibility for the breach on Nov. 4, the day after Infosys McCamish said the breach occurred. LockBit also said it encrypted some of Infosys McCamish’s systems.

For its part, Infosys McCamish said in its letter to affected customers that the Nov. 3 attack had rendered some of its systems unavailable, but it did not elaborate on how long those systems remained down.

Infosys McCamish said in the letter it was “unlikely” that it would be able to determine with certainty what personal information the threat actor accessed during the breach, but it might have included deferred compensation plan information, including names, dates of birth, and Social Security numbers.

While Infosys McCamish said it was its own systems rather than Bank of America’s that were breached, Ray Kelly, a fellow at Synopsys Software Integrity Group, said that in third-party breaches such as this, the responsibility for the incident is still a “gray area.”

Many organizations require vendors to go through mandatory security audits to maintain a chain of trust, he said, but the case still reflects poorly on Bank of America. In this instance, Infosys McCamish “certainly bears the weight of this breach,” Kelly said, as it was their systems attacked by ransomware.

For regulators, the picture of responsibility when it comes to third-party cybersecurity risk is black and white; banks are the ones responsible. In January, the Federal Reserve’s vice chair for supervision, Michael Barr, said there have historically been “gaps” in banks’ efforts to manage these risks posed by third parties.

“Reliance by banks on third-party service providers has grown considerably in recent years, and with that reliance comes the potential for greater cyber risk,” Barr said. “It is ultimately the responsibility of banks to manage their third-party risk, and we have historically seen gaps in this regard.”

Others have criticized banks’ attempts to stem cybersecurity threats from third parties, as well. In 2017, the Office of Inspector General for the Federal Deposit Insurance Corp. said in a report that banks’ contracts with technology service providers left them underprepared to face potential cybersecurity threats stemming from third-party vendors.

Banks’ contracts with these providers “typically did not clearly address [providers’] responsibilities and lacked specific contract provisions to protect” the interests and rights of banks, according to the FDIC OIG report.