Nearshore Americas

BPOs Under Fire After Infosys McCamish Data Breach Hits Bank of America

A data breach at Infosys McCamish Systems (IMS), a US-based subsidiary of Infosys BPM, exposed sensitive information of over 57,000 Bank of America (BOA) customers.

BOA advised customers to monitor their accounts for suspicious activity, warning of potential identity theft attempts.

The news comes over three months after the LockBit ransomware group claimed responsibility for attacking IMS and encrypting over 2,000 systems.

Infosys confirmed the incident on November 3 of last year through to statement to US Securities Exchange Comission (SEC).

BOA sent a letter to customers informing of the breach. The letter details that data from deferred compensation plans might have been compromised. Such plans, which usually involve individuals whose net worth is quite high, tend to include personal information such as names, email addresses, physical addresses and social security numbers.

While no reports of identity theft have emerged so far, concerns remain due to the sensitive nature of the information leaked.

Unlike typical ransomware attacks where data is encrypted and ransom is demanded, no ransom negotiations have been reported.

Infosys and BOA face potential legal challenges for exceeding the 30-day notification period mandated in many states, including Maine, where the breach occurred. Both companies notified customers on February 2, 90 days after the incident.

Third-Party Providers Under Fire

Third-party service providers find themselves under tighter scrutiny following the IMS data breach.

Industry analysts have advocated for stricter regulatory measures. Calls for enhanced governance controls over third-party access, coupled with continuous monitoring and robust threat detection and response strategies, are gaining momentum.

Roger Neal, head of product at Apona Security, told SC Magazine that it is close to impossible to protect against all forms of cyber attacks given the current digital landscape.

LockBit group came into being in late 2019.  A report by the US cybersecurity authority in June 2023 reveald that the LockBit ransomware gang extorted US$91 million from US organizations through over 1,700 attacks in the past three years.

Bank of America, with its vast customer base of over 69 million across 35 countries, has become a prime target.

The IMS incident marks the second data breach affecting BOA customers in less than a year. In May 2023, the Clop cybercrime gang breached Ernst & Young networks, compromising sensitive data, such as credit card numbers, social security information and unique government IDs, of over 30,000 of the bank’s customers.

While BOA maintains that its systems remained secure in both incidents, it is offering complimentary cybersecurity services to affected customers for two years as a proactive measure.

Acquired by Infosys in 2009, IMS primarily serves the US insurance industry, offering software and services to over 34 insurance companies.

Sign up for our Nearshore Americas newsletter:

IMS provides BPO services, assisting financial institutions with insurance-related needs like marketing, plan design, documentation, enrollment and administration.

BOA has been partnering with Infosys and other business services providers since 2002.

Narayan Ammachchi

News Editor for Nearshore Americas, Narayan Ammachchi is a career journalist with a decade of experience in politics and international business. He works out of his base in the Indian Silicon City of Bangalore.

Add comment