Article Details

Infosys subsidiary named as source of Bank of America data leak. Looks like LockBit took a swipe at an outsourced life insurance application. Indian tech services giant Infosys has been named as the source of a data leak suffered by the Bank of America. Infosys disclosed the breach in a November 3, 2023, filing [PDF] that revealed its US subsidiary Infosys McCamish Systems LLC (IMS) "has become aware of a cyber security incident resulting in non-availability of certain applications and systems in IMS." A data breach notification filed in the US state of Maine this week describes the incident as "External system breach (hacking)" and reveals the improperly accessed data includes "Name or other personal identifier in combination with: Social Security Number." The notification was submitted by an outside attorney working on behalf of the Bank of America, names IMS as the source, and revealed that information on 57,028 people was leaked. A sample of the letter [PDF] sent to those impacted by the incident reveals that on November 24, "IMS told Bank of America that data concerning deferred compensation plans serviced by Bank of America may have been compromised. Bank of America's systems were not compromised." Things then get a bit scary: "It is unlikely that we will be able to determine with certainty what personal information was accessed as a result of this incident at IMS. According to our records, deferred compensation plan information may have included your first and last name, address, business email address, date of birth, Social Security number, and other account information." In other words, almost everything a fraudster needs to attempt identity fraud – a likely outcome of this event as the term "deferred compensation plan" describes private pensions, retirement savings plans, and awards of stock options. The term can also describe payouts under life insurance policies, which The Register mentions as IMS bills itself as "the center of excellence for Infosys's Life Insurance software solutions and services offerings in the US." The Register has asked Infosys to explain the incident. We've not received a response at the time of publication. But we note that on November 4, 2023, an allegation emerged that the notorious LockBit ransomware-as-a-service gang was behind the incident at IMS. Ransomware certainly fits the description of the incident. Victims have been offered the usual advice – change passwords, watch your accounts for stuff you didn't do – and the customary two years of free identity theft protection services from Experian.