On February 12, 2024, Bank of America began notifying approximately 57,028 customers that their personal information had been compromised in a ransomware attack against Infosys McCamish Systems (IMS), a subsidiary of Indian IT giant Infosys that provides insurance and financial services processing. The breach had occurred in November 2023, but affected customers did not learn about it until three months later.
The incident was another entry in the growing catalog of third-party supply chain breaches where the attack hits a vendor but the data belongs to the vendor's clients and their customers. Bank of America's own systems were never compromised. But that distinction offered cold comfort to the 57,000 people whose Social Security numbers, financial account details, and other sensitive information were in the hands of ransomware operators.
What Happened at Infosys McCamish
Infosys McCamish Systems (IMS) is a subsidiary of Infosys BPO that provides insurance process management, including policy administration, claims processing, and retirement services for major financial institutions. IMS processes sensitive financial and personal data on behalf of its clients, including Bank of America, for deferred compensation plan administration.
On November 3, 2023, IMS detected unauthorized access to its systems. The LockBit ransomware group claimed responsibility for the attack, stating that they had exfiltrated data and encrypted systems. LockBit listed Infosys McCamish on their dark web leak site and published sample data as proof of the breach.
The attack disrupted IMS operations and affected multiple clients beyond Bank of America. Several insurance companies and financial institutions that relied on IMS for processing services reported downstream impacts. The full scope of the compromise extended to an estimated 6.5 million individuals across all affected IMS clients, a figure that Infosys disclosed months later.
Compromised Data
The Bank of America notification letters, filed with the Maine Attorney General, detailed the categories of compromised data:
- Full names
- Social Security numbers
- Dates of birth
- Addresses
- Financial account numbers
- Credit card numbers
- Other account-related information
This was a comprehensive identity theft package. The combination of Social Security numbers, financial account details, and credit card numbers gave attackers everything needed to commit financial fraud, open new credit accounts, and drain existing ones.
Bank of America offered affected customers two years of identity theft protection through Experian, including credit monitoring, identity theft insurance, and fraud resolution services. However, as with all breach notifications, the delayed timeline meant that customers had been exposed for three months without knowledge or protection.
The Third-Party Cascade
The Infosys McCamish breach was a textbook illustration of third-party supply chain risk in financial services. The attack chain looked like this:
- LockBit affiliates compromised Infosys McCamish Systems
- IMS held data belonging to multiple financial institutions
- Bank of America customers' data was among the compromised records
- Bank of America had to notify and protect customers for a breach it did not experience directly
This cascade is becoming increasingly common. Financial institutions outsource processing functions to specialized vendors for cost efficiency and operational scale. These vendors, in turn, may subcontract to other providers, creating a chain of custody for sensitive data that extends across multiple organizations and jurisdictions.
Each link in this chain is a potential point of failure. The security of the entire chain is determined by its weakest link. In this case, the weakest link was not Bank of America, which maintains a substantial cybersecurity program, but a subsidiary of a business process outsourcing company.
Infosys Under Scrutiny
The breach put Infosys, one of the world's largest IT services companies, under significant scrutiny. Infosys had marketed its McCamish subsidiary as a trusted partner for sensitive financial data processing. The LockBit breach raised questions about the security standards applied to Infosys subsidiaries handling critical financial data.
Infosys initially disclosed the incident in a brief SEC filing on November 3, 2023, stating that it had identified unauthorized activity in its McCamish Systems subsidiary. The company provided minimal details and did not disclose the number of affected individuals.
It was not until Bank of America and other IMS clients began their own investigations and notification processes that the full scope became clear. The eventual disclosure that 6.5 million individuals were affected across all IMS clients made it one of the largest vendor-related financial data breaches of the year.
The incident also raised questions about the security oversight that financial institutions exercise over their outsourcing partners. Bank of America, as a systemically important financial institution regulated by the OCC, Federal Reserve, and other agencies, has regulatory obligations to manage third-party risk. Whether its vendor management program adequately assessed and monitored IMS security controls became a focal point of regulatory inquiry.
Regulatory Implications
The breach occurred against a backdrop of increasing regulatory attention to third-party risk in financial services. The OCC, Federal Reserve, and FDIC had jointly issued updated guidance on third-party risk management in 2023, emphasizing the need for financial institutions to:
- Conduct thorough due diligence before engaging third-party vendors
- Implement ongoing monitoring of vendor security practices
- Ensure contracts include appropriate security requirements and audit rights
- Plan for business continuity in the event of a vendor failure or breach
The Infosys McCamish breach tested whether financial institutions were meeting these expectations. The three-month gap between the breach and customer notification suggested that the communication and coordination protocols between IMS and its clients were not as robust as regulators would expect.
Multiple class-action lawsuits were filed against both Bank of America and Infosys McCamish, alleging failure to protect customer data and failure to provide timely notification. The lawsuits highlighted the legal uncertainty around liability when a breach occurs at a vendor rather than the primary institution.
The Offshore Outsourcing Dimension
The Infosys McCamish breach also brought attention to the security implications of offshore outsourcing in financial services. While IMS operates from the United States, its parent company Infosys is headquartered in India, and the broader Infosys ecosystem spans multiple countries.
Cross-border data processing creates additional complexity for security management, incident response, and regulatory compliance. Different jurisdictions have different data protection requirements, and coordinating a security investigation across multiple countries adds time and complexity to the response.
For financial institutions considering outsourcing relationships, the breach reinforced the need to evaluate not just the security practices of the direct vendor but also the security governance of the vendor's parent company and any sub-processors that may handle the data.
Notification Timeline Challenges
The timeline of the Infosys McCamish breach illustrated the notification challenges inherent in third-party breaches:
- November 3, 2023: IMS detects the breach
- November 2023: IMS begins forensic investigation and notifies clients
- December 2023-January 2024: Clients conduct their own investigations to determine which customers were affected
- February 12, 2024: Bank of America begins notifying affected customers
The total elapsed time from breach to customer notification was over three months. During this period, each organization in the chain was conducting its own investigation, and no one was in a position to notify end customers until the forensic analysis determined exactly whose data was affected.
This is not an unusual timeline for a third-party breach. But from the perspective of the affected individuals, three months of unprotected exposure to identity theft is unacceptable. The structural problem is that the current breach notification framework does not adequately account for the additional time required when a breach occurs at a vendor rather than the organization that owns the customer relationship.
How Safeguard.sh Helps
The Bank of America-Infosys McCamish breach demonstrates that financial institutions must extend their security visibility into their entire vendor ecosystem. Safeguard.sh supports this extended visibility:
- Supply chain mapping tracks the software components and services used by your critical vendors, giving you visibility into potential vulnerabilities in the tools that process your data.
- Continuous vulnerability monitoring alerts you when CVEs are discovered in software used across your extended vendor network, enabling proactive conversations about patching and risk mitigation.
- Policy enforcement defines security standards that software in your supply chain must meet, creating a measurable baseline that can be applied consistently across internal systems and vendor environments.
- Risk assessment and scoring evaluates the aggregate security risk of your vendor relationships, helping you identify where concentrated vendor dependencies create unacceptable risk.
When your customers' data is in someone else's hands, your security responsibility does not end at your network boundary. Safeguard.sh helps you see and manage the full extent of your software supply chain.