Brief descrip on of what is “Third-party data breach”
Third-party data breaches, where malicious actors compromise external en es like vendors or
suppliers to access sensi ve data, are increasingly prevalent due to the interconnectedness of
global supply chains and the ease of technological connec ons. This complexity o en leaves
organiza ons in the dark about the full path their data takes, risking exposure of sensi ve
informa on through en es they have li le knowledge of. As outsourcing becomes ubiquitous
for opera onal efficiency, cyber risk escalates, demanding a holis c approach to third-party risk
management (TPRM).
Businesses must broaden their cybersecurity efforts to include all third-party interac ons within
their ecosystem, a vital step in safeguarding against cybera acks and data leaks in a digi zed
world. Despite the advantages of efficiency and cost-effec veness, the reliance on third par es
introduces significant vulnerabili es, evidenced by their involvement in about 20% of all data
breaches. These breaches not only have a direct financial impact but also lead to reputa onal
damage and business disrup on. The threat is magnified for third-party service providers who
handle a vast array of sensi ve customer data, making them prime targets for cybercriminals.
Recent Data Breach incident: Bank of America Data Breach in October 2023
The recent data breach at Infosys McCamish, a subsidiary of the Indian IT giant Infosys,
underscores the growing vulnerability of financial ins tu ons and their third-party service
providers to sophis cated cybera acks. This par cular incident compromised the personal data
of 57,028 Bank of America (BofA) customers, highligh ng the risks associated with the
interconnected nature of digital services in the banking and financial sector. Infosys McCamish,
known for providing financial so ware solu ons, became the target of the notorious ransomware
group LockBit, resul ng in the unauthorized access of sensi ve customer informa on.
The breach, which occurred on November 3, was not immediately disclosed to the affected
customers or the public. Infosys McCamish no fied Bank of America of the breach on November
24, but it wasn't un l February 2 that the customers were formally no fied, a significant delay
from the incident date. This meline raises ques ons about the meliness of breach no fica ons
and the poten al impact on affected individuals, considering many states, including Maine,
mandate that companies no fy those impacted by a data breach within 30 days of discovery. The
delayed no fica on, 90 days a er the fact, might have le customers vulnerable and unaware of
the risks to their personal and financial data.
Affected individuals had their names, addresses, dates of birth, Social Security numbers, and
other account informa on compromised. These deferred compensa on customers, typically
execu ves and high-earning employees, rely on these plans for tax-advantaged re rement
�benefits beyond what a 401(k) can offer. Infosys McCamish's role was significant in managing
these plans, indica ng a breach of this nature not only affects immediate personal data but also
poten ally jeopardizes the financial security and planning of those impacted.
The breach is part of a worrying trend of cybera acks targe ng financial ins tu ons and their
service providers. LockBit, the ransomware group claiming responsibility for this a ack, has a
notorious history of high-profile cybera acks, including this breach which they announced just a
day a er it occurred. Their modus operandi involves exploi ng vulnerabili es in the systems of
their targets to encrypt data and o en threaten to publish it unless a ransom is paid. This
par cular incident highlights the complex challenges financial ins tu ons face in securing their
networks and the networks of their third-party vendors against such threats.
The responsibility of ensuring cybersecurity in third-party partnerships is a conten ous issue.
While Infosys McCamish's systems were the ones compromised, the incident reflects on Bank of
America due to the intertwined nature of their service provision. Regulatory bodies and
cybersecurity experts o en emphasize that the primary financial ins tu on holds the ul mate
responsibility for managing third-party risk. This incident may prompt a reassessment of
cybersecurity prac ces and due diligence in third-party partnerships within the banking sector.
This breach is a stark reminder of the cybersecurity threats facing the financial industry and the
need for robust security measures, thorough ve ng of third-party providers, and swi ac on in
the event of a breach. As cybercriminals con nue to evolve their tac cs, the banking industry and
its service providers must priori ze investments in cybersecurity defenses and incident response
strategies to protect sensi ve customer informa on and maintain trust in their services.
