Bank of America is warning customers of a data breach exposing their personal information after Infosys McCamish Systems (IMS), one of its service providers, was pwned last year:
On or around November 3, 2023, IMS was impacted by a cybersecurity event when an unauthorized third party accessed IMS systems, resulting in the non-availability of certain IMS applications. On November 24, 2023, IMS told Bank of America that data concerning deferred compensation plans serviced by Bank of America may have been compromised. Bank of America’s systems were not compromised.
In response to the security incident, IMS retained a third-party forensic firm to investigate and assist with IMS’s recovery plan, which included containing and remediating malicious activity, rebuilding systems, and enhancing response capabilities. To date, IMS has found no evidence of continued threat actor access, tooling, or persistence in the IMS environment.
When someone who clearly has access to the Bank of America network gets pwned, everything downstream is pwned. Or at least it should be. John Gunn, CEO, Token comments on why that appears not to have happened here:
You can be certain that Bank of America has the highest level of security and imposes incredibly stringent cybersecurity requirements on their third-party partners, with the latter being legendary. With large global organizations that have thousands of service providers, these events are nearly impossible to prevent. Cybercriminals have stepped up their attacks on outsource service providers knowing they cannot directly defeat the cybersecurity of a major bank. The silver lining is that this event impacted less than 1/1000th of their customer base.
In this case, Bank of America might have dodged a major bullet. But that doesn’t mean that they will continue to do so. Thus I hope they look at their processes and security and make sure that they give themselves the best chance of avoiding pwnage.
UPDATE: I have additional commentary. Starting with Paul Valente, CEO & Co-Founder, VISO TRUST:
“Bank of America’s breach involving IMS is a stark reminder that even the strongest security fortresses can be undermined by exploiting the expanded attack surface connected third party ecosystems represent. CISOs know it’s all too common that companies invest millions in top-notch security only to entrust their data to lesser-known vendors with questionable defenses. Questionnaires won’t cut it – we need a thorough understanding of a vendor’s security program maturity. Time for a reality check in the world of data protection.”
Next up is Craig Harber, Security Evangelist: Open Systems:
“The Bank of America (BoA) data breach highlights the importance of companies implementing third-party risk management. To protect their customers, companies must implement consistent security standards across their entire business ecosystem to help mitigate cyber-attacks originating through partner and supplier systems.
“Third-party partners like IMS are critical to most modern businesses, including the financial sector. Unfortunately, these partnerships introduce inherent risks because the resulting interconnected IT/business systems do not deliver the critical trust relationship to prevent supply chain attacks, data breaches, and reputation damage. The notorious ransomware gang LockBit, who claimed responsibility for this attack, exploited this known weakness.
“To prevent further occurrences, security teams must implement consistent security standards across the entire business ecosystem, including all its subsidiaries’ IT/business systems, not just IMS. Consistent security practices include requiring prompt and regular patching of system vulnerabilities, implementing multi-factor authentication to prevent exploitation of weak credentials, and deploying comprehensive monitoring tools to identify and neutralize cybersecurity threats.”
Finally here’s a comment from Jason Keirstead, VP of Collective Threat Defense, Cyware:
“Because suppliers have access to sensitive or proprietary information that attackers want to exploit, they need effective cybersecurity controls in place to protect their own systems and data as well as those of their customers. A collective defense approach enhances the cybersecurity posture of both large institutions and their third-party vendors by sharing information and best practices across the supply chain. By working together as a team against common threats, both parties can achieve greater resilience and security than they could individually.”
Dave Ratner, CEO, HYAS:
“Criminals will often go after a link in the chain, which means they may extract information and data not from the company directly but from targeted contractor agencies. It’s just one more reason why everyone, from enterprises to MSSP and MSP providers, should be implementing cyber resiliency strategies immediately as part of their 2024 initiatives as these kinds of breaches, and worse, will continue to occur.”
Like this:
Like Loading...
Related
This entry was posted on February 13, 2024 at 3:37 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Bank of America Suffers A Data Leak Because A Vendor Of Theirs Got Pwned
Bank of America is warning customers of a data breach exposing their personal information after Infosys McCamish Systems (IMS), one of its service providers, was pwned last year:
On or around November 3, 2023, IMS was impacted by a cybersecurity event when an unauthorized third party accessed IMS systems, resulting in the non-availability of certain IMS applications. On November 24, 2023, IMS told Bank of America that data concerning deferred compensation plans serviced by Bank of America may have been compromised. Bank of America’s systems were not compromised.
In response to the security incident, IMS retained a third-party forensic firm to investigate and assist with IMS’s recovery plan, which included containing and remediating malicious activity, rebuilding systems, and enhancing response capabilities. To date, IMS has found no evidence of continued threat actor access, tooling, or persistence in the IMS environment.
When someone who clearly has access to the Bank of America network gets pwned, everything downstream is pwned. Or at least it should be. John Gunn, CEO, Token comments on why that appears not to have happened here:
You can be certain that Bank of America has the highest level of security and imposes incredibly stringent cybersecurity requirements on their third-party partners, with the latter being legendary. With large global organizations that have thousands of service providers, these events are nearly impossible to prevent. Cybercriminals have stepped up their attacks on outsource service providers knowing they cannot directly defeat the cybersecurity of a major bank. The silver lining is that this event impacted less than 1/1000th of their customer base.
In this case, Bank of America might have dodged a major bullet. But that doesn’t mean that they will continue to do so. Thus I hope they look at their processes and security and make sure that they give themselves the best chance of avoiding pwnage.
UPDATE: I have additional commentary. Starting with Paul Valente, CEO & Co-Founder, VISO TRUST:
“Bank of America’s breach involving IMS is a stark reminder that even the strongest security fortresses can be undermined by exploiting the expanded attack surface connected third party ecosystems represent. CISOs know it’s all too common that companies invest millions in top-notch security only to entrust their data to lesser-known vendors with questionable defenses. Questionnaires won’t cut it – we need a thorough understanding of a vendor’s security program maturity. Time for a reality check in the world of data protection.”
Next up is Craig Harber, Security Evangelist: Open Systems:
“The Bank of America (BoA) data breach highlights the importance of companies implementing third-party risk management. To protect their customers, companies must implement consistent security standards across their entire business ecosystem to help mitigate cyber-attacks originating through partner and supplier systems.
“Third-party partners like IMS are critical to most modern businesses, including the financial sector. Unfortunately, these partnerships introduce inherent risks because the resulting interconnected IT/business systems do not deliver the critical trust relationship to prevent supply chain attacks, data breaches, and reputation damage. The notorious ransomware gang LockBit, who claimed responsibility for this attack, exploited this known weakness.
“To prevent further occurrences, security teams must implement consistent security standards across the entire business ecosystem, including all its subsidiaries’ IT/business systems, not just IMS. Consistent security practices include requiring prompt and regular patching of system vulnerabilities, implementing multi-factor authentication to prevent exploitation of weak credentials, and deploying comprehensive monitoring tools to identify and neutralize cybersecurity threats.”
Finally here’s a comment from Jason Keirstead, VP of Collective Threat Defense, Cyware:
“Because suppliers have access to sensitive or proprietary information that attackers want to exploit, they need effective cybersecurity controls in place to protect their own systems and data as well as those of their customers. A collective defense approach enhances the cybersecurity posture of both large institutions and their third-party vendors by sharing information and best practices across the supply chain. By working together as a team against common threats, both parties can achieve greater resilience and security than they could individually.”
Dave Ratner, CEO, HYAS:
“Criminals will often go after a link in the chain, which means they may extract information and data not from the company directly but from targeted contractor agencies. It’s just one more reason why everyone, from enterprises to MSSP and MSP providers, should be implementing cyber resiliency strategies immediately as part of their 2024 initiatives as these kinds of breaches, and worse, will continue to occur.”
Share this:
Like this:
Related
This entry was posted on February 13, 2024 at 3:37 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.