Bank of America Attack Flags Software Supply Chain Risks

News that Bank of America is the latest major organisation to have been hit by a supply chain cyber attack sounds yet another alarm bell for multinational businesses whose value chains might comprise tens of thousands of vendors.    

Bank of America customers were recently informed that their personal data has been exposed after one of the bank’s service providers suffered a cyber security breach last year.

That provider was Infosys McCamish Systems (IMS), a subsidiary of the India-based IT consulting giant Infosys – which is owned by British Prime Minister Rishi Sunak's wife's family.

It is reported the breach happened in November when an “unauthorised third party" accessed its network.

According to the Bank’s data-breach notification, it took IMS 21 days to notify it. Data that has been compromised is said to include customers’  first and last names, addresses, business emails, date of birth, social security number, and “other account information". As many as 57,000 people have been directly affected by the breach.

News of the Bank of America attack follows just days after Supply Chain Digital reported that a senior SAP procurement expert issued a warning that organisations lack the expertise and resources to protect against cybersecurity threats.

Baber Farooq, SVP at SAP Ariba, says procurement professionals increasingly find themselves on the cyber-threat frontline, as cyber criminals target globally interconnected supply chains. 

Software supply chains 'can be huge danger'

The problem for multinational businesses like Bank of America is that its supply chain can comprise tens of thousands of vendors, many of which can be vulnerable to cyber attacks. Hackers target such vendors as a way of gaining access into larger companies – a practice known as a ‘backdoor attack’.

This means supply vendors – IMS, in the case of the Bank of America – are too often the entry point for malware, ransomware or denial of service attacks, which then work their way upstream or downstream to larger organisations.

Other recent supply chain cyberattacks include the UK’s largest regional police force, the Metropolitan Police, which employs 35,000 police and civilian staff following a security breach involving the IT system of one of its suppliers. The vendor in question has access to names, ranks, photos, vetting levels and pay numbers for Met officers and staff.

An even more catastrophic supply chain security breach was seen with the cyberattack on MOVEit, a managed file-transfer software service that encrypts files and uses secure File Transfer Protocols to transfer data. 

Businesses with large software supply chains are especially vulnerable, because software solutions that end up being integrated into enterprise-wide systems can contain multiple vulnerabilities.

A big problem is software developers who needlessly download vulnerable open source software when there are newer and safer versions of those downloads readily available. 

In 2023, cybersecurity firm Sonatype logged 245,032 malicious packages in 2023, and says that as many as one in eight open-source software downloads today pose “known and avoidable risks”.

Farooq says procurement has a “pivotal role to play in operational resilience”, and adds that prioritising supply chain and third-party risk management should be “foundational for any successful company”. 

Supply chain cybersecurity: everyone has part to play

But the truth is it’s not just procurement professionals who are pivotal to tightening-up cybersecurity measures – every employee has a role to play.

Most cyber breaches are down to poor cybersecurity housekeeping. Here are some basic preventative measures that anyone can take:

• Develop a movers, leavers and joiners process. When someone joins, their account permissions should be recorded and approved. When they leave, their account should be disabled, or removed.
• Carry out a software audit. Audit A typical ‘out-of-the-box’ set-up might enable an admin account with a standard, publicly known default password. 
• Create a list of all devices in your organisation. Devices – laptops, smart phones, firewalls, routers – often hold valuable information.
• Create a list of all software and firmware used in your organisation. This might be firmware found on your router or firewall, versions of an operating system (such as Windows or MacOS), or suites of office tools, (such as Microsoft Word, DropBox or Hootsuite).
• ******
  Check out the latest edition of Supply Chain Digital and also sign up to our global conference series: Procurement & Supply Chain 2024. ​​​​Supply Chain Digital is a BizClik brand.