Infosys Subsidiary Named as Source of Bank of America Data Leak

Indian tech services giant Infosys has been named as the source of a data leak suffered by the Bank of America. From a report: Infosys disclosed the breach in a November 3, 2023, filing that revealed its US subsidiary Infosys McCamish Systems LLC (IMS) "has become aware of a cyber security incident resulting in non-availability of certain applications and systems in IMS." A data breach notification filed in the US state of Maine this week describes the incident as "External system breach (hacking)" and reveals the improperly accessed data includes "Name or other personal identifier in combination with: Social Security Number."

The notification was submitted by an outside attorney working on behalf of the Bank of America, names IMS as the source, and revealed that information on 57,028 people was leaked. A sample of the letter sent to those impacted by the incident reveals that on November 24, "IMS told Bank of America that data concerning deferred compensation plans serviced by Bank of America may have been compromised. Bank of America's systems were not compromised." Things then get a bit scary: "It is unlikely that we will be able to determine with certainty what personal information was accessed as a result of this incident at IMS. According to our records, deferred compensation plan information may have included your first and last name, address, business email address, date of birth, Social Security number, and other account information."

blame the subcontractor? did BOA cut cost to much?

[Joe_Dragon]

blame the subcontractor? did BOA cut cost to much?

did the subcontractor do more subcontractor and said well as an contractor we have full control over the work and by law can subout any thing we want to be an real contractor?

Re:

[Anonymous Coward]

No, the fault was with Samir Naga... Naga... Naga... Not gonna work here anymore, anyway.

Re:

[Anonymous Coward]

Rich isn't it? Cut costs by hiring a sub and then throw sub under the bus for the breach. SMH...

Re:

[mrbester]

Mrs Sunak will still get her dividends, so that's alright.

Re:

[stabiesoft]

Kind of like Boeing did. Outsource to cut costs, and then blame the outsourcer for laxness as the cost cutting mad inevitable.

Re:

[tlhIngan]

Kind of like Boeing did. Outsource to cut costs, and then blame the outsourcer for laxness as the cost cutting mad inevitable.

Except the responsibility still lies on Boeing as it's a Boeing aircraft that had the accident, not a Spirit Aerosystems aircraft.

Blame the subcontractor also only goes so far because guess what? Airbus also contracts Spirit Aerosystems to build parts for its aircraft. And it is up to Airbus to inspect to make sure all the bolts are on their door plugs that they get from Spirit as we

seen this before

[gabrieltss]

I've seen it too many times the Indian outsource companies and their lax security practices... Had issue at cabelas when we outsourced the development of the cabelas visa site to Indian outsourcer they were logging credit card numbers and expiration dates in the logs. When we saw that we dropped them like a bad habit and brought development in house. I'd NEVER recommend any company use them. See this kind of thing way to many times.

lawsuits

[awwshit]

I hope BofA enjoys the lawsuits for their carelessness. They can blame a 3rd party but BofA is responsible.

Re:lawsuits

[Jahta]

I hope BofA enjoys the lawsuits for their carelessness. They can blame a 3rd party but BofA is responsible.

Absolutely! The number of times I've had to explain to executives that, while you can choose to outsource parts of your business process, you cannot outsource risk and liability. Your outsource partner is, legally speaking, an agent acting on your behalf, and if they screw up and hurt your customers then that's on you.

Re: lawsuits

[reanjr]

Can you point to any actual big lawsuits where the client was held responsible for the contractors' work? Sure, in theory, they are legally responsible. But that's not how things typically work. The court decides how responsible they were. As long as they aren't negligent in hiring a subcontractor, the courts generally let corporations cede liability to entities with no money.

Re:

[mjwx]

Can you point to any actual big lawsuits where the client was held responsible for the contractors' work? Sure, in theory, they are legally responsible. But that's not how things typically work. The court decides how responsible they were. As long as they aren't negligent in hiring a subcontractor, the courts generally let corporations cede liability to entities with no money.

Loads of times, maybe not in the US but it's commonplace in most other countries. If a UK bank outsources it's IT and has a failure, the bank is on the hook for the consequences. The bank can sue the outsourcer for damages but is higly unlikely to get 100% of the costs back, let alone any damages (reputaion, lost business).

Even a government department is held liable for issues (thinking QLD Health or the ATO) even though the contractors were completely responsible for the failure (in the case of the ATO,

Re: lawsuits

[reanjr]

Well, we are talking about Bank of America here. U.S. courts seem to be the relevant ones.

Good job

[eneville]

Good job that Infosys isn't involved with anything important like UK government