Editorial Note: We earn a commission from partner links on Forbes Advisor. Commissions do not affect our editors’ opinions or evaluations.
About 57,000 Bank of America customers are being warned that their personal information may have been exposed during a November cyberattack on bank service provider Infosys McCamish Systems.
The data breach, attributed to the LockBit ransomware group according to several reports, occurred on Infosys McCamish’s system on November 3 and was reported to Bank of America on November 24.
However, consumers whose data may have been compromised were not notified of the security failure until February 1, or about 90 days after the breach was discovered, potentially violating state notification laws.
Customers who were affected were enrolled in Bank of America-sponsored deferred compensation plans at companies, which provide tax advantages for employees who defer a portion of their paychecks until a later date, such as at retirement, Infosys McCamish said.
Sensitive Customer Information May Have Been Leaked
Personal information that might have been compromised in the hack may include the victims’:
- First and last name
- Address
- Business email address
- Date of birth
- Social Security number
- Other account information
It’s still unclear exactly what data might have been accessed, and there’s so far no evidence the information was misused, according to a letter Infosys McCamish sent to affected consumers.
Affected Customers Offered Free Identity Protection Service
Bank of America is offering affected customers a free two-year membership to Experian IdentityWorks. This identity theft protection program includes daily credit report monitoring from Experian, Equifax and TransUnion, internet surveillance, and identity theft resolution, among other services.
To claim this offer, you can enroll online or call Experian IdentityWorks. You’ll need the activation code and engagement number provided by Bank of America.
When Personal Data Is Compromised, Timing Is Critical
The longer thieves may have access to your personal information, the more damage they can do. This is why some states mandate that affected individuals be notified within a certain time frame if their personal information is compromised in a cyberattack.
For example, in Maine, notification must be made no later than 30 days after a breach is discovered, with allowances for law enforcement investigations. Indiana’s time frame is a little longer, at 45 days.
It’s unclear why there was such a lag between the discovery of the breach and the effort to inform customers. Bank of America and Infosys McCamish have so far not commented.
“If you suspect that someone has stolen your identity, acting quickly is the best way to limit the damage,” the Department of Justice advises.
According to the DOJ, if an organization that holds your personal information experiences a data breach, it must inform you of your rights. You have the option to take the following precautions:
- Request a fraud alert to be placed on your credit file
- Monitor your accounts for suspicious behavior
- Exercise your right to obtain a free copy of your credit report.
If highly sensitive and valuable information such as your Social Security number might have been stolen, placing a credit freeze on your credit reports can block bad actors from opening new lines of credit in your name.
Find the Best Identity Theft Protection Services of 2024
Credit: Source link