Bank of America has identified Infosys McCamish Systems (IMS), a subsidiary of Indian software services company Infosys, as the source of a data leak that affected over 57,000 Bank of America users in November 2023. The breach occurred when an unauthorized third party accessed IMS systems, resulting in the non-availability of certain IMS applications.
IMS informed Bank of America on November 24, 2023, that data concerning deferred compensation plans serviced by Bank of America may have been compromised. Bank of America subsequently notified its consumers about the data breach in a letter sent in February 2024.
The breach was described as an “External system breach (hacking)” that illegally accessed information such as names or other personal identifiers in combination with Social Security numbers of 57,028 individuals. It is important to note that Bank of America’s own systems were not compromised in this incident.
IMS, a subsidiary of Infosys BPM Limited, has been actively working to investigate and contain the breach. To date, there is no evidence of continued threat actor access or persistence in the IMS environment.
Bank of America has taken steps to address the situation and is providing affected users with a complimentary two-year membership in an identity theft protection service. It is unclear whether other banking customers of Infosys were also impacted by this breach.
