Another Bank of America breach of customer information has raised concerns over the security of financial institutions once again. The breach occurred due to improper handling of sensitive documents by a third-party document disposal company and again exposed vulnerabilities in banks to maintain customer information. Although details regarding the number of accounts affected have not been disclosed, it has led Bank of America to offer identity theft protection to affected clients.
An Event Pattern of Security Incidents
This is Bank of America’s second data security issue. In January, another breach leaked at least 414 customers’ information after it had been mishandled by outsiders who were handling it as a third-party vendor. The recentness of such incidents is troubling in context to the rising reliance of banks on the services of third-party services providers to handle data security. Banks have access to such great volumes of sensitive customer information but have proven to lack adequate capacity to guard it.
The latest incident occurred on December 30 when a vendor shredding company failed to secure banking documents that were being transported. The documents were outside of containers used to protect documents, leading to concern that names, financial information, addresses, telephone numbers, Social Security numbers, and government-issued identifying numbers have fallen into their hands.
Bank of America will not release a precise number of accounts that were hacked into but at least two instances have been verified in Massachusetts. The bank responded by providing free identity-theft assistance to affected clients who were potentially exploited over the next two years.
The Third-Party Risk Threat on the Rise
Increasing reliance on third-party providers to offer services that span everything from document shredding to cybersecurity and information management exposes banks to gigantic risk. The largest bank breach in recent times, such as that of Capital One in 2019, resulted due to provider error. Despite all regulatory heat and in-bank security measures, banks cannot manage to make their services partners strictly adhere to secure practices.
This recent case serves to underscore that financial institutions must conduct more frequent audits and impose more stringent compliance with third-party vendors. Regulators would have to step in and impose stiffer penalties on banks that do not secure customer information properly, especially if they outsource essential functions to a third party.
Customer Trust and Its Financial Implications
For customers, repeated security intrusions understandably raise doubts about the safety of their financial and personal information. Public confidence in big banks is already low, particularly with additional cyber attacks, phishing operations, and hijacking of accounts. When a flagship bank such as Bank of America is repeatedly breached over a period of months, it undermines public confidence and can prompt users to seek alternative financial services, including fintech websites and online banks that advertise additional security measures.
Bank of America’s share price has remained fairly stable after this breach, but ongoing reputational damage can harm customer retention as well as investors’ trust. Every security breach lands the entire banking industry with heightened regulatory burdens, and banks may soon have to implement enhanced security features or pay higher fines.
Regulatory and Industry Implications
The banking sector is regulated as far as sensitive information is concerned with extremely tight rules, but it appears that measures thus far don’t do enough. Bank of America’s case can reopen discussion on making more government agencies accountable to regulate banks handling sensitive information.
Politicians and consumer associations must demand that:
- Stronger enforcement of current data protection legislation with the banks being at fault if their third-party suppliers breach it.
- Periodic security audit and compulsory vulnerability reporting before breach incidents.
- More severe punishments and fines against banks that do not do enough to safeguard customer information.
The increasing rate of bank data leaks also presents an opportunity for cybersecurity firms to expand their share of the market. Banks are forced to put in place better encryption methods, multi-factor verification programs, and real-time scanning systems to prevent future leaks.
The Future of Banking Data Security
Bank of America’s vulnerability is simply a reminder that it’s not just small banks that can become victims of security breakdowns. For consumers, it’s a reminder of the importance of being proactive to carefully examine bank statements, to regularly refresh passwords, and to take advantage of identity theft tracking services.
For banks, it’s easy: cybersecurity and protecting information must be front-of-mind priorities, not after-the-fact considerations. As more and more business is being done over the internet, security will become more and more what customer demand will require, and those institutions that cannot provide it will see their market share siphoned off by more security-conscious competitors. The Bank of America breach will not be the last breach of that type, but it does give industry some time to reassess its strategy with regard to protecting information. It remains to be seen if banks will do anything to plug those holes—and continue to play whack-a-mole with after-the-fact damage control—after it’s over.
