BofA Vendor Data Breach Amplifies Third-Party Risks
A Bank of America vendor suffered a data breach in November last year wherein the threat actors compromised tens of thousands of customers. The incident, which came to light recently, underlines the necessity of conducting the appropriate security checks while dealing with third parties.
- A Bank of America vendor suffered a data breach in November last year wherein the threat actors compromised tens of thousands of customers.
- The incident, which came to light recently, underlines the necessity of conducting the appropriate security checks while dealing with third parties.
A data breach at one of Bank of America’s service providers has compromised 57,028 of the bank’s customers. The premier financial institution now warns customers of the breach that exposed their personal data.
According to a breach notification filed with the U.S. Securities and Exchange Commission in November 2023, Infosys McCamish Systems (IMS), a subsidiary of Indian IT services major Infosys, suffered a data breach in October of that year.
IMS’s disclosure to the Maine Attorney General’s office from this week indicates that 57,028 Bank of America (BofA) customers were affected. “Bank of America was not the target of this attack, it was just hit in the crossfire, and these types of incidents are becoming more frequent today,” Brian Boyd, head of technical delivery at i-confidential, told Spiceworks.
“As one of the world’s leading banks, many people would believe an attack like this could never happen. But, with long and increasingly linked supply chains, anything is possible in the digital world.”
Compromised data includes the personally identifiable information (PII) of customers, including the customers’ names, addresses, dates of birth, business email addresses, Social Security Numbers, and account information (account numbers, credit card numbers). However, IMS’ notification to customers adds that it is unlikely that they will be able to determine with certainty what else was accessed.
Neither BofA nor IMS have shed light on the attack’s details or perpetrator. However, the Lockbit ransomware gang claimed responsibility for an attack on IMS in early November 2024.
“The personal information of Bank of America customers was also exposed after a MOVEit cyberattack in May on accounting firm Ernst & Young by the Cl0p ransomware group,” Andrew Costis, chapter lead of the Adversary Research Team at AttackIQ, told Spiceworks.
“Organizations like Bank of America that handle the personal customer data of millions must prioritize cybersecurity defenses, particularly with the use of third-party service providers. The vulnerability of customer data exploited through IMS in November and Ernst & Young in May reiterate the vulnerability of these organizations to ransomware threats.”
Lockbit is one of the most prolific ransomware gangs operating today. After earning $91 million in ransom proceeds between 2020 and June 2023, the cybercriminal syndicate spent much of the second half of 2023 at the top spot regarding the number of attacks carried out.
Malwarebytes Labs assessed that Lockbit carried out more than 600 attacks in H2 2023, more than any other ransomware gang. The group exploited the Citrix Bleed vulnerability to victimize dozens of victims, including the Industrial and Commercial Bank of China (ICBC), DP World, Allen & Overy, and Boeing.
The ransomware-as-a-service group hasn’t shied away from targeting critical infrastructure or even hospitals such as the Hospital for Sick Children in December 2022, Carthage Area Hospital and Claxton-Hepburn Medical Center in August 2023, Katholische Hospitalvereinigung Ostwestfalen (KHO) in December 2023, and more recently, the Capital Health in January 2024.
Lockbit is reported to have also formed an alliance with the ALPHV/BlackCat ransomware gang following the latter’s infrastructure takedown by law enforcement.
See More: Between the Firewall and the Boardroom: Expectations From CSOs Today
Third-party risks
Third-party risks have become as clear as daylight in the COVID-19 era and succeeding years. For instance, the MOVEit vulnerability (discovered in May 2023) has led cybercriminals to victimize 2611 organizations and 85.1 to 89.9 million individuals until December 2023, according to data tracked by Kon Briefing.
According to SecurityScorecard, 90% of the world’s top energy companies suffered a data breach because of third parties.
“MOVEit was undoubtedly the attack that dominated media headlines in 2023 because it demonstrated the devastating impact of supply chain breaches. Criminals only need to find one gap in the chain. They can then access hundreds of organizations’ networks by pivoting from one company to the next, or in this case, compromising a supplier who holds an organization’s data. This causes incredible damage and losses, but attackers are now favoring these types of assaults because they provide maximum return with often minimal effort.”
Lockbit has particularly been interested in exploiting the Citrix Bleed vulnerability. Erich Kron, security awareness advocate at KnowBe4, told Spiceworks, “Using third parties to process data is not bad in and of itself and can lead to efficiencies and outcomes that are not available by doing things in-house; however, it’s critical to ensure that policies and procedures exist related to the protection of any data being shared.”
“Making sure that contracts define what information is being processed and how long it’s been retained is a very important part of this data management with third parties. In addition, information should be limited as much as possible and anonymized whenever it’s an option. Organizations sharing data should have a good idea of the security posture of those they are working with, so occasional checks and audits of those security programs can be very important,” Kron continued.
Boyd added that organizations should consider how they share information with third parties and how their data is connected.
Customers at risk
The compromised information is a potential goldmine given the level of personalization cybercriminals can achieve to trick targets into making a wrong decision. The exposed PII may include details of customers’ “deferred compensation plan,” according to the IMS notification, which may consist of savings and pensions.
Calling the data “ripe for abuse,” Sean McNee, VP of Research and Data at DomainTools, told Spiceworks, “The deeply interconnected nature of running a business online generates tremendous value for consumers and business owners alike, but it also fundamentally changes the threat landscape businesses must defend themselves against. Supply chain attacks such as this highlight the unique challenges operating today. Unfortunately, customers end up suffering long term effects from these events.”
McNee suggested customers update banking passwords, leverage two-factor authentication (2FA) if the bank offers it, and monitor account activity. Moreover, watch out for phishing emails, vishing calls, or smishing texts that ask for personal information or claim to be from the bank. “Always verify the source before providing any information.”
Affected customers can also leverage the complimentary two-year membership for Experian IdentityWorks’ identity theft protection service provided by BofA, which includes daily credit monitoring.
How can third-party risks be minimized? Share with us on LinkedIn, X, or Facebook. We’d love to hear from you!
Image source: Shutterstock
MORE ON CYBERATTACKS
