Infosys McCamish Systems notifying 57,028 Bank of America customers of ransomware attack

In Data Breach News, Malware Ransomware
February 03, 2024
Infosys McCamish Systems notifying 57,028 Bank of America customers of ransomware attack

More than 57,000 people enrolled in Bank of America deferred compensation plans are being notified of a data breach that occurred in early November 2023.

The incident involved their Atlanta-based service provider, Infosys McCamish Systems LLC (“IMS”). Bank of America’s system was not affected or compromised. IMS is the U.S. subsidiary of Infosys BPM, an India-headquartered firm. IMS provides software and solutions for dozens of insurance companies.

The data breach was reported to the Maine Attorney General’s Office on February 2 by external counsel for Bank of America.

A letter being sent this week to those affected explains that “on or around November 3, 2023, IMS was impacted by a cybersecurity event when an unauthorized third party accessed IMS systems, resulting in the non-availability of certain IMS applications.” The letter does not state that this was a malware or ransomware incident, but the “nonavailability” description suggests that it may have been a ransomware attack, and other sources indicate that the firm received a ransom note even though they would not confirm it or acknowledge it.

While IMS did not disclose the incident as a ransomware attack, LockBit threat actors claimed responsibility for the attack on November 4.

Image: The Data Breach Times

LockBit’s post claimed that “2000+ systems were encrypted,” and that IMS had offered them $50k USD, but there is no evidence that either claim was true. “If we receive good enough price from anyone we will sell the ~50GB data to you privately with starting bid of 500k,” the threat actors wrote wrote. The post included what they allege was a file tree of the exfiltrated data. The link no longer worked when The Data Breach Times attempted to verify that.

Nor could The Data Breach Times find any update on the dark web leak site or any media coverage that ever reported whether the threat actors ever leaked any of the IMS data they claimed to have exfiltrated. LockBitSupp was not immediately available on their Tox support account to answer a request for updated information on the incident.

IMS notified Bank of America on November 24 that data concerning deferred compensation plans serviced by Bank of America might have been compromised.

In response to the security incident, IMS retained Palo Alto Networks to investigate and assist with recovery, which included containing and remediating malicious activity, rebuilding systems, and enhancing response capabilities. “To date, IMS has found no evidence of continued threat actor access, tooling, or persistence in the IMS environment,” the letter dated February 1 submitted to Maine states.

Normally, notification letters tell recipients exactly what types of personal information may have been accessed or compromised. In this case, the 57,028 recipients may not find out, as IMS writes, “It is unlikely that we will be able to determine with certainty what personal information was accessed as a result of this incident at IMS. According to our records, deferred compensation plan information may have included your first and last name, address, business email address, date of birth, Social Security number, and other account information.”

The letter does not explain why they are unable to determine with certainty what was accessed.

IMS writes, “Out of an abundance of caution, we are notifying you about this incident and providing tools to help you protect against possible identity theft or fraud.” The Data Breach Times notes that although many notification letters contain language like, “We are notifying you about this incident out of an abundance of caution,” such language is somewhat misleading when the entity is required by law to notify you of the incident and they are not just optionally or voluntarily informing those affected. Some states also require the entity to offer mitigation services such as credit monitoring and identity theft restoration services. In this case, Bank of America is offering those affected complimentary (i.e., free) two-year membership in an identity theft protection service provided by Experian IdentityWorks SM.

Bank of America is not the only one of IMS’s clients affected by the ransomware attack.