Tens of Thousands of Bank of America Customers Have Information Stolen in Data Breach

Bank of America has taken the necessary steps to inform approximately 57,000 customers of a significant data breach affecting their personal information. The breach occurred through a third-party services provider, Infosys McCamish System (IMS). Initially disclosed on November 3, 2023, by Infosys in a filing with the US Securities and Exchange Commission, the cyberattack rendered several applications and systems unavailable.

Although IMS restored the impacted systems by December 31, the incident resulted in estimated losses of $30 million. There is also a possibility of additional costs arising from indemnities or damages/claims. IMS acknowledged that unauthorized third parties exfiltrated certain data during the attack, which included customer information.

Bank of America began notifying affected customers on February 1, acknowledging that data related to deferred compensation plans serviced by the bank may have been compromised in the IMS incident. While the precise scope of the breach remains uncertain, potentially compromised information includes names, addresses, dates of birth, Social Security numbers, business email addresses, and other account details.

To mitigate potential risks, Bank of America has offered affected customers a complimentary two-year membership in an identity theft protection service. Despite no reported instances of misuse involving the compromised information, the bank remains proactive in safeguarding its customers' interests.

Although specific details regarding the cyberattack were not disclosed by IMS or Bank of America, the LockBit ransomware gang claimed responsibility for the attack on November 4. Additionally, they purportedly released data allegedly stolen from IMS, further emphasizing the severity of the breach and its implications for affected individuals.