On February 13th, Bank of America announced a data breach exposing the personally identifiable information (PII) of 57,028 customers. The data breach targeted and exposed the social security numbers, names and dates of birth of deferred compensation plans managed by third-party provider Infosys McCamish.
These types of data breaches – many of which originate from third parties – cost an average of $4.45 million. They’ve also increased by 15% over the past three years. It also wasn’t the first time Bank of America’s customers have been exposed. The data of 57,028 customer accounts were also exposed in the MOVEit digital supply chain attack in 2023.
Last year we saw frequent reports of high-profile third-party data breaches and supply chain attacks such as Okta and Citrix Netscaler. As a result, CISOs are under increased pressure to strengthen their supply chain risk management. Almost three quarters (73%) of CISOs at large organizations are very concerned about third-party threats. More than half (65%) have increased their budgets related to third-party cyber risk management.
The Third-Party Opportunity in the Bank of America Hack
With 69 million customers in more than 35 countries, Bank of America is an attractive target for cybercriminals. But experienced cybercriminals, such as the high-profile cybergang LockBit, who took responsibility for the attack, don’t target these types of financial institutions directly. They know that banks of this size and reputation have multiple cybersecurity solutions to keep their internal networks, systems and infrastructure safe from the hands of cybercriminals.
Third parties don’t always have these same resources, however. In addition, they may not yet have a culture of cybersecurity in place, with employees educated on the best cybersecurity practices. Or they may be shifting to strengthen their security posture, leaving them vulnerable in the meantime. As a result, cybercriminals often focus their efforts on third parties that share data with leading institutions, looking for vulnerabilities and risks they can exploit to infiltrate their desired target.
The Importance of Supply Chain Management
In the case of the Bank of America data breach, LockBit found Infosys McCamish Systems (IMS), a Indian tech services giant, to serve this purpose. The first sign of the breach was the “unavailability of certain applications and systems in IMS.” LockBit claims that over 2,000 systems were encrypted during the breach.
While data breaches can be part of a ransomware attack, encrypting systems and gathering PII data may also be a move that sets cybercriminals up for future ransomware attacks. LockBit ransomware attacks have already been responsible for an $80 million ransom demand to CDW, the third largest ransomware attack to date. Ransomware attacks are expected to cost victims $265 million by 2031.
Identifying these threats early is the most optimal way to defend against these and other types of cybersecurity attacks. At the same time, it helps to minimize penalties and fees related to compliance and builds customer trust in your brand. One of the most important methods organizations have in place to identify these threats ahead of time is effective digital supply chain management.
How Panorays Helps Manage Third-Party Risk
The vast majority (98%) of organizations rely on third parties for their software and services. Many however, don’t have the technology in place to determine exactly how many third parties they have, or how to protect the data and information they share with those third parties. In addition, evaluating third party risk before onboarding is often a fractured and manual approach that is difficult to scale.
Panorays delivers a third-party cyber risk management (TPCRM) solution that addresses this need, creating a customized, scalable approach for onboarding third parties. It also helps to monitor these risks throughout the third-party lifecycle.
This approach includes:
- Supply chain discovering and mapping. Map and analyze third parties in the supply chain and define the relationship between your organization’s relationship and the third party. This digital supply chain landscape mapping allows for accurate third-party risk profiling.
- Risk DNA assessment. Combine internal and external assessments to deliver evolving customized risk-based ratings for comprehensive and accurate Cyber Postures assessment. Internal assessments include dynamic and customized questionnaires according to your risk tolerance and vendor profiling. External assessments include mapping and identifying third party digital assets for vulnerabilities, control failures, human risk, AI dependencies and past breaches.
- Continuous threat detection. Get early indications of breaches and vulnerabilities, prioritized according to the criticality of your third party. With a contextualized view of your supply chain, you’ll discover critical findings that deliver risk insights and alerts to prioritize threats and prevent them from escalating.
- Remediation and collaboration. Close security gaps according to the highest level of priority to reduce risk and proactively defend against the next breach or security incident from impacting your business. These steps include both an automated and collaborative approach between your organization and third parties.
Want to learn more about how Panorays can help your organization manage third-party risks? Get a demo today.
FAQs
Hackers from the ransomware group LockBit stole personal information from Bank of America customers. They did so by hacking into Bank of America’s third-party vendor Infosys McCamish’s systems.
The breach occurred on November 3, 2024. The affected customers were notified via a letter from Infosys McCamish and Infosys McCamish notified Bank of America about the breach on November 24.
