Bank of America is warning customers of a data breach exposing their personal information after Infosys McCamish Systems (IMS), one of its service providers, was hacked last year.
Customer personally identifiable information (PII) exposed in the security breach includes the affected individuals' names, addresses, social security numbers, dates of birth, and financial information, including account and credit card numbers, according to details shared with the Attorney General of Texas.
Bank of America serves approximately 69 million clients at over 3,800 retail financial centers and through approximately 15,000 ATMs in the United States, its territories, and more than 35 countries.
A Bank of America spokesperson declined to comment when BleepingComputer reached out for more details and asked us to connect with Infosys McCamish.
While Bank of America has yet to disclose how many customers were impacted by the data breach, an IMS breach notification letter filed with the Attorney General of Maine on behalf of Bank of America revealed that a total of 57,028 people were directly impacted.
"Or around November 3, 2023, IMS was impacted by a cybersecurity event when an unauthorized third party accessed IMS systems, resulting in the non-availability of certain IMS applications," the data breach notification says.
"On November 24, 2023, IMS told Bank of America that data concerning deferred compensation plans serviced by Bank of America may have been compromised. Bank of America's systems were not compromised."
"It is unlikely that we will be able to determine with certainty what personal information was accessed as a result of this incident at IMS."
LockBit claims ransomware attack on IMS
The November security breach led to a "non-availability of certain applications and systems in IMS," as explained when the incident was first disclosed in a filing with the U.S. Securities and Exchange Commission.
On November 4th, the LockBit ransomware gang claimed responsibility for the IMS attack, saying that its operators encrypted over 2,000 systems during the breach.
The LockBit ransomware-as-a-service (RaaS) operation came to light in September 2019 and has since targeted many high-profile organizations, including the UK Royal Mail, the Continental automotive giant, the City of Oakland, and the Italian Internal Revenue Service.
In June, cybersecurity authorities in the United States and partners worldwide released a joint advisory estimating that the LockBit gang has extorted at least $91 million from U.S. organizations following roughly 1,700 attacks since 2020.
Infosys, IMS' parent company, is a multinational IT consulting and services provider giant with over 300,000 employees and clients in over 56 countries.
An Infosys spokesperson has yet to respond to a BleepingComputer request for confirmation of LockBit's claims and further information about the security breach.
Bank of America customers' financial account information, credit card, social security, and/or other unique government-issued identification numbers handled by leading accounting firm Ernst & Young were also exposed after the service provider's MOVEit Transfer platform got breached in May 2023 by the Clop cybercrime gang.
"Bank of America has informed us that its systems and servers were not impacted by this event," Ernst & Young disclosed in a filing with the Maine Attorney General, revealing that the May 2023 incident affected 30,210 individuals.
Update February 13, 03:24 EST: Bank of America declined to comment.