Infosys McCamish cyber incident in October led to data breach at BofA

The incident was detected on 29 October 2023, as per BoFA.

Infosys Ltd, parent of Infosys McCamish, notified the stock exchanges about the development on 3 November.

The breach led to unauthorized access to sensitive customer information, including names, addresses, social security numbers, and other account details related to BofA’s deferred compensation plan.

This incident was officially reported to the attorney general of Maine, US, by BoFA earlier this month.

The bank has engaged Jason Chapman, partner at Boston-based law firm Wilmer Cutler Pickering Hale and Dorr LLP, for legal representation.

BoFA, the second largest bank in the US, has also notified affected customers in Maine, as required by law, and offered them a two-year membership in an identity theft protection service to mitigate the breach’s impact.

On or around 3 November, Infosys McCamish Systems was impacted by a cybersecurity event where a third party accessed its systems, rendering certain applications unavailable, said a notification by BofA to affected Maine residents that was accessed by Mint.

On 29 November, the company informed BofA that data pertaining to the bank’s deferred compensation plan may been compromised, as per the notification.

“It is unlikely that we will be able to determine with certainty what personal information was accessed as a result of this incident at IMS. According to our records, deferred compensation plan information may have included your first and last name, address, business email address, date of birth, Social Security number, and other account information,” read BofA’s notification.

Infosys McCamish Systems, acquired by Infosys BPM in December 2009, specializes in providing solutions for the insurance and retirement sectors.

Following the breach, Infosys said it employed a cybersecurity products provider to resolve the “cybersecurity event.”

“We are working with a leading cybersecurity products provider to resolve this at the earliest and have also launched an independent investigation with them to identify potential impact on systems and data,” Infosys said in its filing to the stock exchanges on 3 November.

Mint‘s efforts to seek comments from both Bank of America and Infosys McCamish have so far been met with limited responses, with Infosys referring back to their initial filing on November 3 without further comment.

Meanwhile, on 4 November cybercriminal group LockBit took to the social media platform X to claim responsibility for the attack. LockBit, known for its ransomware-as-a-service operations, threatened to sell or leak the stolen data unless a ransom was paid, starting the bidding at $500,000 for the 50GB of compromised information.

Milestone Alert!
Livemint tops charts as the fastest growing news website in the world 🌏 Click here to know more.

Here’s your comprehensive 3-minute summary of all the things Finance Minister Nirmala Sitharaman said in her Budget speech: Click to download!

Published: 14 Feb 2024, 11:48 AM IST