Data Breaches Hit Bank of America, Prudential

More than 57,000 Bank of America customers have been impacted by a data breach, while Prudential Financial is also reporting a data breach. 

A November 2023 breach at IT consulting and service provider Infosys McCamish Systems (IMS) has now been confirmed to have led to a data breach impacting Bank of America customers.

According to a breach notification letter to Bank of America customers, on Nov. 24, IMS told the bank that data concerning deferred compensation plans the bank serviced may have been compromised.

“Bank of America’s systems were not compromised,” it said. “To date, IMS has found no evidence of continued threat actor access, tooling or persistence in the IMS environment. It is unlikely that we will be able to determine with certainty what personal information was accessed as a result of this incident at IMS. According to our records, deferred compensation plan information may have included your first and last name, address, business email address, date of birth, Social Security number and other account information.”

According to an IMS breach notification letter on behalf of Bank of America filed with the Attorney General of Maine, 57,028 bank customers have been impacted by the breach.

Bank of America Breach Highlights Need for Stronger Controls

On Nov. 4, the LockBit ransomware gang claimed responsibility for the IMS attack, saying its operators encrypted more than 2,000 systems during the breach.

Piyush Pandey, CEO at Pathlock, said the interconnectedness and complexity of supply chains in the financial sector increases the difficulty of managing and securing third-party access. This breach notification highlights the need for more stringent third-party access governance controls, continuous monitoring, and strong threat detection and response strategies to safeguard against such attacks.

“This incident also reflects the broader trend of cybercriminals exploiting third-party vulnerabilities to target major organizations, necessitating a more comprehensive and proactive approach to access controls across all levels of the supply chain,” he said. “Given how highly regulated the financial sector is with regard to data protection and privacy, ensuring that third-party vendors comply with these regulations is crucial, but challenging.”

Andrew Costis, chapter lead of the adversary research team at AttackIQ, said personal information of Bank of America customers was also exposed after a MOVEit cyberattack last May on accounting firm Ernst & Young by the Cl0p ransomware group.

“Organizations like Bank of America that handle the personal customer data of millions must prioritize cybersecurity defenses, particularly with the use of third-party service providers,” he said. “The vulnerability of customer data exploited through IMS in November and Ernst & Young in May reiterate the vulnerability of these organizations to ransomware threats.”

Prudential Financial Breach

According to a U.S. Securities and Exchange Commission (SEC) filing, Prudential Financial said it detected that, beginning Feb. 4, a threat actor gained unauthorized access to some of its systems.

“As of the date of this report, we believe that the threat actor, who we suspect to be a cybercrime group, accessed company administrative and user data from certain IT systems, and a small percentage of company user accounts associated with employees and contractors,” it said. “We continue to investigate the extent of the incident, including whether the threat actor accessed any additional information or systems, to determine the impact of the incident. On the basis of the investigation to date, we do not have any evidence that the threat actor has taken customer or client data. We have reported this matter to relevant law enforcement and are informing regulatory authorities.”

Claude Mandy, chief evangelist of data security at Symmetry Systems, said the proactive holding statement by Prudential is indicative of the pressure being put on cybercrime victims by cybercriminals under this new incident reporting requirement. It is a sign of a well-rehearsed incident response program.

Symmetry Systems' Claude Mandy

“Organizations need to quickly identify what the potential impact from a breach is to determine its potential materiality to kick start the disclosure process,” he said. “At the same time, the cybercriminals can and will be threatening public disclosure of the incident to extort money from the victims. An early disclosure like this relieves that pressure, but requires modern data security tools to determine the likely materiality of the incident.”

Motivation for Public Disclosure

Darren Guccione, CEO and co-founder of Keeper Security, said following finalization of the new SEC reporting requirements, there will be a flood of mandatory cyber incident reports to the federal commission.

Keeper Security's Darren Guccione

“However, with this case and others, we also appear to be seeing an increased inclination to voluntarily report cyber incidents that do not meet the threshold for disclosure,” he said. “By submitting a report to the SEC that an incident occurred, but did not have material impact on operations, Prudential may be attempting to proactively mitigate reputational damage – operating under the assumption that fewer people will read an SEC filing than a public statement. This type of voluntary disclosure is likely motivated more by public relations than regulations.”