A data breach at Infosys McCamish, a financial software provider, compromised the name, address, date of birth, Social Security number, and other account information of 57,028 deferred compensation customers whose accounts were serviced by
An unauthorized party — apparently a ransomware group known as
The breach occurred Nov. 3, according to the letter, and Infosys McCamish notified
Many states, including Maine, require companies to notify people affected by a data breach within 30 days of the company discovering a breach. Delays may be granted for law enforcement investigations.
Infosys McCamish and
Affected customers held deferred compensation plans serviced by
These deferred compensation plans represent a "significant asset-gathering opportunity for financial institutions selling into the retirement plans markets,"
A spokesperson for
LockBit, a ransomware group notorious for its high-profile attacks,
The hacker group is threatening to publish personal data from multiple U.S. financial institutions and using known vulnerabilities to get into their systems.
For its part, Infosys McCamish said in its letter to affected customers that the Nov. 3 attack had rendered some of its systems unavailable, but it did not elaborate on how long those systems remained down.
Infosys McCamish said in the letter it was "unlikely" that it would be able to determine with certainty what personal information the threat actor accessed during the breach, but it might have included deferred compensation plan information, including names, dates of birth, and Social Security numbers.
While Infosys McCamish said it was its own systems rather than
Many organizations require vendors to go through mandatory security audits to maintain a chain of trust, he said, but the case still reflects poorly on
For regulators, the picture of responsibility when it comes to third-party cybersecurity risk is black and white; banks are the ones responsible.
"Reliance by banks on third-party service providers has grown considerably in recent years, and with that reliance comes the potential for greater cyber risk," Barr said. "It is ultimately the responsibility of banks to manage their third-party risk, and we have historically seen gaps in this regard."
Others have criticized banks' attempts to stem cybersecurity threats from third parties, as well.
Banks' contracts with these providers "typically did not clearly address [providers'] responsibilities and lacked specific contract provisions to protect" the interests and rights of banks, according to the FDIC OIG report.