WASHINGTON (CNBC) - Bank of America is sending notification letters to 57,000 customers to inform them that their personal information was stolen in a data breach at third-party services provider Infosys McCamish System (IMS).
The incident was disclosed on November 3, 2023, when IMS parent company Infosys said in a filing with the U.S. Securities and Exchange Commission that it fell victim to a cyberattack resulting in several applications and systems becoming unavailable.
On January 11, the company informed the SEC that it had restored all the impacted systems by December 31, and that losses related to the incident were estimated at $30 million. The company also noted that additional costs such as indemnities or damages/claims could also occur.
“McCamish believes that certain data was exfiltrated by unauthorized third parties during the incident and this exfiltrated data included certain customer data,” the company said.
On February 1, Bank of America started notifying customers that “data concerning deferred compensation plans serviced by Bank of America may have been compromised” in the IMS incident.
In the letter, a copy of which was submitted to the Maine Attorney General’s Office, Bank of America noted that it cannot determine “with certainty what personal information was accessed” during the attack.
However, deferred compensation plan information may include names, addresses, dates of birth, Social Security numbers, business email addresses, and other account information.
“Although we are not aware of any misuse involving your information, we are notifying you that Bank of America will provide a complimentary two-year membership in an identity theft protection service,” Bank of America said.