Top American lender Bank of America has named Infosys McCamish Systems (IMS), the US subsidiary of Indian software services giant Infosys, as the source of a data leak owing to a ransomware attack suffered by over 57,000 of its users in November, according to documents reviewed by ET.
“On or around November 3, 2023, IMS was impacted by a cybersecurity event when an unauthorized third party accessed IMS systems, resulting in the non-availability of certain IMS applications. On November 24, 2023, IMS told Bank of America that data concerning deferred compensation plans serviced by Bank of America may have been compromised,” said a letter sent earlier in February to Bank of America consumers informing about the data breach. ET has reviewed the letter.
The notification by Bank of America described the nature of the incident as “External system breach (hacking)” that illegally accessed information of 57,028 persons stealing data such as “Name or other personal identifier in combination with: Social Security Number”. Bank of America’s systems were not compromised, it added.
This is as per a recent disclosure filed this week by the bank’s outside counsel Jason Chipman, on behalf of Bank of America. The disclosure named IMS in a submission of a data breach notification before the Office of the Maine Attorney General, the chief legal advisor and prosecutor of the State of Maine, a northeastern region in the United States of America.
ET could not immediately ascertain whether other banking customers of Infosys were also impacted by the breach.
In November, India’s second largest software services firm, disclosed the breach in a stock exchange filing. The company later said that it had suffered a hit of 60 basis points (bps) on its operating margins from the McCamish cyber incident which had an impact on both revenues and costs. In December, Infosys suffered termination of a $1.5 billion deal with an undisclosed global company, focused on artificial intelligence (AI) solutions.
ET had reported on December 23 citing Phil Fersht, CEO of HFS Research that the cancelled contract could most probably be Manulife ( Manulife Financial Corp – headquartered in Toronto. Fersht had indicated the termination of the deal could be linked to the cyber security breach at the US unit, Infosys McCamish Systems (IMS).
IMS is a subsidiary of Infosys BPM Limited, a wholly owned subsidiary of Infosys Ltd.
The breach is said to have occurred on October 29 and discovered the next day on October 30, 2023. Consumers were notified on Feb 1.
“IMS provides services for deferred compensation plans, including plans serviced by Bank of America that you were eligible to participate in. Out of an abundance of caution, we are notifying you about this incident and providing tools to help you protect against possible identity theft or fraud,” the letter further said.
In response to the security incident, IMS retained a third-party forensic firm to investigate and assist with IMS’s recovery plan, which included containing and remediating malicious activity, rebuilding systems, and enhancing response capabilities. To date, IMS has found no evidence of continued threat actor access, tooling, or persistence in the IMS environment, consumers were informed.
Infosys did not respond to ET’s request for additional comments beyond the existing disclosure made by the company in November.
While Bank of America was not aware of the misuse involving the user information, its records suggested that the deferred compensation plan information may have included the users’ first and last name, address, business email address, date of birth, Social Security number, and other account information.
As a compensation from the bank’s side, it will provide a complimentary two-year membership in an identity theft protection service to the users and will not be billed for the same.