Bank of America recently reported a data breach at Infosys McCamish Systems, a subsidiary of Infosys [2] [3], to the Office of the Maine Attorney General [3]. This breach highlights the ongoing issue of third-party breaches and the importance of safeguarding consumers’ private information [6].


The breach, which occurred on October 29, 2023 [3], impacted over 57,000 customers of Bank of America. Hackers gained unauthorized access to customer names, Social Security Numbers (SSN) [2] [3] [6], financial account information [1] [4] [7], addresses [1] [2] [4] [5] [6] [7], and dates of birth [1] [2] [4] [6] [7]. While it is uncertain which specific personal information was accessed [3] [6], the bank mentioned that data concerning certain deferred compensation plans may have been affected [7]. The breach is attributed to an external system breach [3], and the LockBit ransomware gang allegedly added Infosys McCamish Systems to their data leak site. Affected customers have been notified about the breach and warned about potential phishing attacks and identity theft. In response, Bank of America has taken steps to protect its customers by offering two years of free identity theft protection services from Experian. This incident follows a previous breach in May 2023 [4], where the MOVEit Transfer platform of Ernst & Young [4], the accounting firm handling financial information for Bank of America [4], was compromised by the Clop cybercrime gang [4]. Bank of America has not commented on the breach involving Infosys McCamish Systems or the LockBit ransomware.


The breach at Infosys McCamish Systems has significant implications for the affected customers, who are at risk of identity theft and potential financial fraud. Bank of America has taken measures to mitigate the impact by offering free identity theft protection services and credit watch services. However, this incident underscores the ongoing challenge of third-party breaches and the need for robust safeguards to protect consumers’ private information. It is recommended that affected individuals seek legal advice to protect against fraud or identity theft following the breach [7].