Thu | Feb 15, 2024 | 5:16 AM PST

Bank of America is notifying customers that their personal information was compromised in a data breach impacting third-party vendor Infosys McCamish Systems (IMS), an insurance process management services provider.

The breach reportedly occurred after IMS was hacked in November 2023. According to breach notification letters, the exposed customer data includes names, addresses, Social Security numbers, dates of birth, and financial account details. At least 57,028 Bank of America customers with deferred compensation plans were directly impacted.

The notorious LockBit ransomware gang has claimed responsibility for the attack on IMS, saying they encrypted more than 2,000 IMS systems. This incident comes just months after another Bank of America vendor, Ernst & Young, suffered a breach exposing data on 30,210 Bank of America customers.

Cybersecurity experts say this latest breach underscores risks in the interconnected financial sector, especially regarding third-party vendor management.

"As financial institutions increasingly rely on third-party vendors for various services, they inadvertently broaden their attack surface, exposing sensitive customer data to potential breaches," said Tim Callan, Chief Experience Officer at Sectigo. "Strengthening oversight and implementing stringent security protocols for third-party partnerships are imperative to mitigate such risks."

Piyush Pandey, CEO at Pathlock, also commented on the challenges of securing expansive supply chains: "The complexity of financial sector supply chains makes managing and securing third-party access difficult. This breach shows the need for stronger third-party access governance, continuous monitoring, threat detection, and response."

This incident serves as a sobering reminder that cybercriminals are apt to find the weakest link to penetrate otherwise strong defenses. As financial institutions increasingly rely on networks of third-party partners, shoring up security across the entire supply chain is critical.

To learn more and connect with cybersecurity leaders across the financial sector, attend the SecureWorld Financial Services virtual conference on February 28, 2024. See the agenda and register for free here