Third-party cyber-attacks remain one of the most significant threats facing organisations across the globe. Most recently, Bank of America, a multinational investment banking and financial services corporation, began notifying customers that a November 2023 hack against one of its service vendors resulted in the exposure of personally identifiable information (PII).
The breach occurred following a security incident against Infosys McCamish Systems (IMS), a subsidiary of Infosys that provides deferred compensation plan services to Bank of America. According to the IMS notification letter filed with the Maine Attorney General, “On or around November 3, 2023, IMS was impacted by a cybersecurity event when an unauthorized third party accessed IMS systems, resulting in the non-availability of certain IMS applications.”
The notice revealed that while only 57,028 of Bank of America’s millions of customers were directly impacted in the breach, the PII exposed included Social Security Numbers, credit card and account numbers, as well as names, and addresses. An incendiary mix of data—one that could be easily leveraged by threat actors to launch social engineering attacks against any and all of the impacted individuals.
Then, on November 4th, IMS notified Bank of America that data relating to their customers may have been exposed. The infamous ransomware gang, LockBit, on the same day claimed responsibility for encrypting over 2,000 IMS systems in the attack.
“Vendor risk is continuing to become more of a concern,” commented Erich Kron, Security Awareness Advocate at KnowBe4. “Bad actors are finding that attacking the large organizations with significant budgets for cybersecurity and data protection can often be less effective than attacking those that process the same information but may not have the same budget to protect it.”
While Kron explained that using third-party vendors isn’t a bad thing on its own, he also pointed out how “it’s critical to ensure that policies and procedures exist related to the protection of any data being shared. Making sure that contracts define what information is being processed and how long it’s been retained is a very important part of this data management with third parties. In addition, information should be limited as much as possible and anonymized whenever it’s an option.”
Interestingly, this is not the first time Bank of America has been impacted by a third-party cyber-attack. In May 2023, Ernst & Young, an accounting firm providing services to the bank, was hacked by the Cl0p ransomware gang by way of the MOVEit file transfer zero-day exploit. In this incident, personal data like SSNs and financial information of Bank of America customers were also exposed.
The fallout from the MOVEit hack was explosive, impacting mainly third-party vendors and, as a result, their many, varied customers.
Indeed, Ray Kelly, fellow at the Synopsys Software Integrity Group, said, “[The MOVEit] issue caused massive amounts of stolen data from large organisations and even the US Government. Ensuring the trust chain between organisations, while not a simple task, is essential to protecting consumers’ private information.”
Hackers have certainly cottoned on to the weakness of third-party, supply-chain vendors. Where big enterprises like Bank of America most likely have mature cybersecurity protocols, vendors like ISM might not prioritise cyber posture like they ought to. But really—they ought to. The malicious moxie of cybercriminals and cybergangs continues to evolve daily. Vendors can no longer neglect cybersecurity experts.
As Tom Kellermann, SVP of Cyber Strategy at Contrast Security, commented, “By targeting these less secure vendors [cybercriminals] can successfully compromise major banks. The regulators must mandate higher standards of cybersecurity for shared service providers.”
And yet, this doesn’t dissolve organisations like Bank of America from responsibility either. Sure, ISM (and previously, Ernst & Young) were the actual hacked parties, but it was Bank of America customers that were impacted. Did the bank do its due diligence to ensure that data was being handled by vendors in a sophisticated manner? In the wake of these events, the answer is probably no. The question then becomes: how much longer will banks, enterprises, and even government organisations accept lacklustre cybersecurity standards from their vendors?
Erfan Shadabi, cybersecurity expert with data security specialists comforte AG, commented, “Financial institutions, particularly banks, have long been prime targets for cybercriminals due to the vast amount of sensitive information they hold. This breach underscores the need for financial institutions to adopt a proactive approach to cybersecurity, embracing continuous monitoring and threat intelligence capabilities to detect and respond to threats in real-time.”
Al Lakhani, CEO of IDEE, added, “Protecting the supply chain is critical. Especially when they can cause these kinds of attacks. Therefore, relying on first generation MFA that requires two devices and lacks the capability to prevent credential phishing attacks is a non-starter.
“To fortify supply chains effectively, they must be protected using next-generation MFA solutions, which protect against credential, phishing and password-based attacks, including adversary-in-the-middle attacks by using same device MFA.”
Darren James, a Senior Product Manager at Specops Software, an Outpost24 company, commented, “When outsourcing services to 3rd parties that handle personally identifiable or sensitive information, both for employees and customer, appropriate risk assessments should always be made.”
In fact, James suggested asking the following questions when it comes to risk assessing third parties:
- Do they regularly scan for breached passwords?
- Do they have strong MFA controls in place especially with access to customer data?
- Do they scan the internal and external attack surface of their IT systems? Can you see a summary of recent results?
- Where is the data held, under what countries jurisdiction, is your data always encrypted in transit and at rest?
- What security, backup, disaster recovery policies and procedures do they have in place?
- Do they comply with regulatory requirements for your industry?
- What guarantees and insurance do they offer if their systems are compromised?
- Do they outsource your data to any other parties?
Sean McNee, VP of Research and Data at DomainTools, concluded, “The deeply interconnected nature of running business online generates tremendous value for consumers and business owners alike, but it also fundamentally changes the threat landscape businesses must defend themselves against. Supply chain attacks such as this highlight the unique challenges operating today. Unfortunately, customers end up suffering long term effects from these events.”
“Stay frosty out there,” McNee warned. The best thing consumers can do is to stay vigilant, alert, and proactive. And—if you are one of the impacted — make sure to take advantage of that free credit monitoring service.
