Infosys McCamish Data Breach Hits Bank of America

Keith Kirkland Updated by Keith Kirkland

High-Level Summary of the Security Advisory

Infosys McCamish Systems (IMS) is a subsidiary of Infosys BPM, a business process management company wholly owned by Infosys Limited. Based in Georgia, United States, Infosys McCamish Systems specializes in providing platform-based solutions and services for insurance process management. IMS provides services for deferred compensation plans, including plans serviced by Bank of America.

A significant data breach occurred at Infosys McCamish Systems in October 2023, exposing sensitive information of  57,028 Bank of America (BofA) customers. On November 3, 2023, Infosys Limited, issued a company statement to inform the stock exchanges about a cybersecurity incident, resulting in the non-availability of certain IMS applications. According to the statement, IMS initiated an investigation with a cybersecurity products provider to assess the potential impact on its systems and data.

IMS filed a data breach notification with the Attorney General of Maine on behalf of Bank of America. The breach was discovered on October 30, 2023, which involved external system hacking, resulting in the unauthorized acquisition of personal information, including names or other personal identifiers in combination with Social Security numbers.

On February 1, 2024, a notification letter was sent to the Bank of America customers, revealing that IMS had discovered unauthorized third-party access to their systems.The letter also indicated that Bank of America was alerted on November 24, 2023, about the potential compromise concerning data associated with deferred compensation plans serviced by the bank.

According to the notice of data breach, IMS may not definitively be able to ascertain which personal information was accessed during the incident. However, based on their records, deferred compensation plan information may have included first and last names, addresses, business email addresses, dates of birth, Social Security numbers, and other account information. IMS retained a third-party forensic firm to conduct an investigation and aid in the implementation of its recovery plan. As of now, IMS has not detected any ongoing access by threat actors or any evidence of persistent activity within their environment.

Should I be concerned?

Maybe. It depends on if you have a relationship with Infosys McCamish Systems, Infosys BPM(or its parent company), or Bank of America. Click on the link below to find out if you have a relationship with this vendor. If you do, follow the recommendations below.

Note: this link specifically references vendor directory records. You may also want to search your Relationship List for "Infosys McCamish”, “Infosys BPM” or “Bank of America” to confirm.

What to do if you or your vendors have an active relationship with Infosys McCamish Systems, Infosys BPM(or its parent company), or Bank of America

We suggest maintaining close communication with Infosys McCamish Systems, Infosys BPM, Infosys Limited, and Bank of America and staying informed about any subsequent updates or actions that may arise.

Further, as per the data breach notification, Bank of America is providing affected customers with a complimentary two-year membership in Experian IdentityWorks, an identity theft protection service. The service includes credit report monitoring, internet surveillance, and identity theft resolution.

IMS has advised Bank of America customers to adhere to the following guidelines to safeguard personal information, as outlined in the notification letter:

  • Promptly review your credit reports and account statements over the next 24 months and notify your financial institution of any unauthorized transactions or incidents of suspected identity theft.
  • Enroll in the complimentary identity theft protection service provided by Bank of America.
  • Refer to Attachment A for further details on methods to safeguard your identity or any additional rights you may have based on your jurisdiction.

--------------------------------------------------------------

We are actively working on future product enhancements related to these types of events. If you found this information helpful or have additional feedback please let us know at product@visotrust.com

For any additional questions, please reach out to your customer success manager.

Stay ahead of the curve with our Public Risk Notice Alerts!

Get the latest information and news to your inbox on cybersecurity breaches and third-party vendor risks that could impact your organization.

Sign up today to fortify your organization's security.

The VISO TRUST team

—----------—----------—-----

How did we do?

Persistent Malicious Campaign: Exploiting Exchange Server Vulnerability Leading to Data Breach in Azure Cloud Environments

ConnectWise ScreenConnect Authentication Bypass Vulnerability

Contact