Bank of America Clarifies Breach

Vendor Not Responsible for Compromised Cards
Bank of America Clarifies Breach

Bank of America now says the suspected breach of credit card data it reported earlier this month is likely linked to a third-party merchant - not a third-party service provider.

See Also: OnDemand | Payments Without Borders: Prevent Fraud and Improve the Customer Experience

In response to previous coverage of the breach, the bank clarified the suspected source, adding that the incident was isolated.

"This would have been an isolated incident at a third-party merchant (like a store) that may have impacted a very small number of cards, not a security breach at Bank of America or one of its vendors," says BofA spokeswoman Betty Riess in an e-mailed response.

And BofA likely was not the only card issuer affected. "A breach at a merchant location would not just be specific to Bank of America cards," Riess said.

BofA linked suspicious activity to this unnamed merchant after data from internal fraud monitoring and information from affected card brands was connected. "We take these proactive steps to protect our customers and minimize any occurrence of fraud," Riess added. "It doesn't necessarily mean that fraud has actually occurred on the account."

Earlier this month, BofA sent letters to select customers, notifying them of a possible compromise. The bank would not say how many of its accountholders were affected, but did point out that necessary steps were being taken to address known security gaps.

Fred Cate, a law professor at Indiana University who specializes in cybersecurity, says the BofA incident is a reminder that sensitive information must be secured across and within numerous links in the business and payments chain. It's not just the bank that has to ensure data and information is secure; the same precautions and security measures that are implemented in-house must be practiced by the other businesses, service providers and intermediaries with which the bank interacts.

"The entire system has to be secure," Cate says. "I think banks are doing better with, and certainly paying more attention to, ensuring that their suppliers and vendors use good security. But it is an impossible task, in the absence of federal legislation that creates a system-wide obligation to treat financial data responsibly."

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.