Bank of America customer data exposed in IT provider breach
Third-Party Breach Liability Gaps: Why Bank of America's Vendor Compromise Exposes Contractual Weakness
Framing: The Governance Asymmetry Problem
When 57,028 Bank of America customer records—including Social Security numbers and addresses—were compromised through Infosys McCamish Systems in November 2023, the incident revealed a structural governance failure that extends far beyond a single breach. Financial institutions and their boards face a critical asymmetry: they bear full regulatory and reputational liability for customer data breaches involving third-party vendors, yet contractual frameworks often fail to establish clear accountability, notification timelines, or forensic control mechanisms. This case, reported by Cybersecurity Dive's Rajashree Chakravarty and team, is material for vendor risk committees, general counsel, and compliance officers because it demonstrates where vendor governance frameworks collapse under real breach conditions—and where regulatory exposure remains unmitigated.
The Detection and Notification Timeline Gap
The LockBit ransomware attack on Infosys McCamish Systems occurred around November 3, 2023, but Bank of America did not receive breach notification until November 24—a 21-day lag. During this period, the threat actor had encrypted over 2,000 systems and exfiltrated customer data. This timeline gap illustrates a persistent vendor risk governance weakness: most service provider contracts do not mandate immediate breach detection notification or establish escalation protocols for incidents affecting customer data. The forensic investigation that followed, conducted by a third-party firm retained by Infosys McCamish, further extended the timeline before Bank of America could determine scope and initiate regulatory reporting. Organizations often assume vendors will notify them immediately upon detection; in practice, vendors frequently delay notification pending internal assessment, legal review, or forensic engagement—creating a window where the primary organization remains unaware of exposure.
Regulatory Reporting Coordination and Liability Allocation
Bank of America's breach notification letter to the Maine Attorney General illustrates a second governance layer: the primary institution must file regulatory notifications and manage customer communications, yet the vendor controls forensic findings and scope determination. The bank's statement that it was "unlikely that we will be able to determine with certainty what personal information was accessed" reveals a critical vulnerability—the organization bearing regulatory liability lacks direct control over the forensic investigation. Under federal banking regulations, Bank of America must report the incident to its primary regulator within 36 hours if it could disrupt business or financial sector stability; the FTC requires notification of affected consumers within 30 days. Yet the vendor's forensic timeline, cooperation level, and findings directly determine whether Bank of America can meet these deadlines accurately. Most vendor contracts remain silent on forensic cooperation timelines, data preservation protocols, and liability allocation if the vendor's investigation is incomplete or delayed. This creates a structural misalignment between regulatory deadlines and vendor-controlled investigation timelines.
Vendor Security Maturity vs. Compliance Certification
The Infosys McCamish compromise also exposes a persistent vendor risk assessment gap: organizations typically evaluate vendors through compliance certifications (SOC 2, ISO 27001) rather than operational resilience metrics. The encryption of 2,000+ systems suggests insufficient network segmentation, inadequate backup isolation, or delayed threat detection. Most vendor risk questionnaires do not require verification of recovery time objectives, backup restoration capabilities, or threat detection response times. Organizations should demand evidence of resilience architecture—not just compliance attestations. This includes backup recovery testing results, network segmentation diagrams, and incident response playbooks specific to the services being provided. Compliance certifications are necessary but insufficient; they do not measure whether a vendor can detect and contain a ransomware attack before widespread encryption occurs.
Contractual Notification and Forensic Control Deficits
The Bank of America case also highlights a contractual gap that affects multiple regulated industries: most vendor agreements do not specify who controls the breach notification timeline or how disputes over scope are resolved. When Infosys McCamish retained its own forensic firm, Bank of America had limited visibility into the investigation methodology, evidence preservation, or findings timeline. Best practice vendor contracts should include: (1) mandatory breach notification within 24 hours of detection; (2) Bank of America's right to engage its own forensic firm or co-manage the investigation; (3) daily status updates during active investigation; (4) vendor liability for delays in notification or investigation that extend regulatory reporting timelines; and (5) clear allocation of notification costs and regulatory filing responsibilities. Most existing contracts do not address these elements, leaving the primary organization dependent on vendor goodwill and cooperation during the critical post-breach window.
Systemic Weakness: Repeated Third-Party Exposure
The article notes that Bank of America customers were breached through another third-party provider, NCB Management Services, in February 2023—exposing nearly 500,000 customer credit card records. This pattern indicates that vendor risk governance frameworks are not preventing recurrence. Organizations often treat vendor breaches as isolated incidents rather than signals of systemic vendor management weakness. A governance-level response requires: (1) comprehensive vendor inventory with data classification by vendor; (2) tiered security assessments based on data sensitivity and system criticality; (3) continuous monitoring of vendor security posture, not annual assessments; (4) contractual requirements for immediate breach notification and forensic cooperation; and (5) incident response playbooks that specify vendor escalation protocols and decision trees for regulatory reporting. The repeated exposure of Bank of America customers suggests that these elements are not yet embedded in the institution's vendor governance framework.
Cybersol Editorial Perspective
This incident reveals three systemic weaknesses that organizations consistently overlook:
First, notification asymmetry remains unaddressed. Most vendor contracts specify service-level agreements for uptime and performance but remain silent on breach notification timelines. The 21-day lag between attack and notification is not unusual; it is typical. Organizations should demand contractual language requiring notification within 24 hours of detection, with daily status updates and escalation protocols for incidents affecting customer or regulated data.
Second, forensic control is often ceded to the vendor. When a vendor retains its own forensic firm, the primary organization loses visibility and control over investigation scope, methodology, and timeline. Contracts should grant the primary organization the right to engage co-counsel, observe the investigation, and access forensic findings in real time. This is particularly critical for regulated industries where the primary institution bears regulatory liability.
Third, compliance certifications are treated as substitutes for operational resilience verification. A vendor may hold current SOC 2 Type II certification yet lack adequate backup isolation, network segmentation, or threat detection capabilities. Organizations should demand evidence of resilience architecture, backup recovery testing, and incident response capabilities—not just compliance paperwork.
Conclusion
The Bank of America–Infosys McCamish breach, as reported by Cybersecurity Dive, serves as a reference point for evaluating vendor risk governance maturity. Organizations should review the original reporting for specific details on regulatory filing timelines, notification sequences, and remediation statements. More importantly, boards and compliance teams should examine whether their vendor contracts address detection speed, notification coordination, forensic control, and liability allocation—or whether these elements remain unspecified until breach forces the issue. In regulated industries, third-party vendor risk is not a procurement function; it is a governance and regulatory exposure issue that demands board-level attention and contractual specificity.
Source: Cybersecurity Dive, "Bank of America customer data exposed in IT provider breach," reported by Rajashree Chakravarty. https://www.cybersecuritydive.com/news/bank-america-customer-data-breach-it-Infosys-McCamish-Systems/707423/