Securing the Digital Thread: Strengthening Software Resilience in the Wake of the Bank of America Cyberattack

At the beginning of last month, news broke that Bank of America had been hit by a data breach. The breach occurred within a third-party service provider, Infosys McCamish Systems LLC (IMS), late last year. As more information has come out it has been revealed that other organizations, notably including Northwestern Mutual, have been affected. According to reports, a ransomware group known as LockBit is responsible for the breach.

IMS is an Atlanta, GA-based subsidiary of Infosys Limited, an India-based company, who provides deferred compensation plans as a service to Bank of America. In response to discovering the breach IMS launched an investigation employing the help of data forensics specialists, reviewing the compromised files to determine which consumers were affected and what information had been exposed. The investigation determined that Bank of America’s own computer network was not compromised, and after the investigation was complete, reportedly 21 days after the breach was discovered, IMS notified Bank of America of the data breach.

IMS filed notice of the breach with the Office of the Maine Attorney General and Bank of America reportedly has filed with the Office of the Attorney General of Texas. According to the public record of the filing in Maine a little more than 57,000 Bank of America consumers were affected.

In conjunction with filing notice, IMS sent out data breach notification letters to those affected individuals to notify them of the incident. According to those letters, the information compromised included but may not be limited to:

·      First and last names

·      Business and/or personal addresses

·      Email addresses

·      Date of birth

·      Social security numbers

·      Other account-related information

Despite the number of individuals affected and the sensitive nature of the information no evidence has been found that the information has been used maliciously. Though the filing as well as the letters sent out happened at the beginning of last month, Bank of America was made aware of the breach on November 24 and IMS discovered the attack had occurred at least 21 days prior.

The timeline of the key events in this cyberattack and the ensuing investigation has been foggy to say the least, and the timeline may end up being significant not only to affected consumers but also to both companies involved.

The conflicting dates in differing reports and gaps that exist in the timeline exhibit an apparent breakdown in communication between all parties involved and perhaps even a lack of transparency. Aside from the obvious concern of affected people being unaware of their personal information being compromised for such a long time, there is legal concern surrounding the length of time as it is highly likely the period taken to notify the affected persons exceeded the time required within at least some states. This differs from state to state, for example in Maine where IMS filed notice the limit is 30 days after the breach occurred to notify affected individuals. As it seems the amount of time certainly exceeded at least the limit in Maine, and according to the filing there are 93 people in Maine who had their personal information exposed, so legal action is to be expected as events continue to unfold.

This is just the latest alarm bell blaring the signal that organizations’ third-party and supply chain networks are not sufficiently secure in today’s increasingly interconnected world. This became glaringly apparent last year, as the number of cyberattacks was alarmingly high. According to IT Governance there were 2,814 cybersecurity incidents in 2023, which accounted for more than 8 billion breached records: enough for at least one per person in the world. This was more than double the amount in 2021 (1,243) which was marked as a particularly high year. Many are still feeling the aftermath and ripples from the MOVEit cybersecurity breach which occurred last summer, one of the largest in recent memory and another attack through a third-party service provider.

Cybersecurity in third-party and supply chain networks is more important for organizations now than it has ever been before. The risks are more prevalent but also there is far more private and sensitive information out there for cybercriminals to steal. Thankfully there are numerous software solutions available to organizations, however, organizations not only need to do their homework to find the right platform that works for them, but many organizations need to evaluate the systems they have in place and ensure they are up to date.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.