More than 30,000 Bank of America customers have recently fallen prey to a cyberattack.

On Wednesday of last week, Ernst & Young (EY) announced that a breach exposed the personal information of 30,210 BofA customers. EY was informed of the attack on May 31, according to Cybernews.

EY is a Big Four accounting firm that handles some of Bank of America’s (BofA) advisory, consulting, and tax services and has access to BofA customer details.

The attack by the ransomware group called “Cl0p” resulted from EY using third-party software MOVEit from Progress Software based in Massachusetts.

MOVEit is a program intended to transfer data files. A ransomware gang took advantage of a flaw in the software, allowing them to access personal BofA customer records.

Cybercriminals can use this information to open unauthorized credit accounts, make illegal purchases, and even obtain loans.

What has been breached?

In a letter to affected BofA customers, EY explained that the personal information exposed may have included:

  • First and last names
  • Addresses
  • Financial account information
  • Debit or credit card numbers
  • Social Security numbers
  • Government-issued ID numbers

The threat to those impacted is serious given that identity theft affecting adults in the U.S. totaled $43 billion in losses in 2022, according to a recent report.

To date, the MOVEit breach has compromised data at more than 600 organizations across the globe. In addition to EY, the list of impacted companies includes PwC and Deloitte.

In all, the attack affected over 40 million, and the tally keeps growing.

An external analysis shows that U.S.-based organizations represent 77% of known victims—with “the most heavily impacted sectors [being] finance and professional services and education.”

These sectors account for 24% and 24% of incidents, respectively.

Who's behind it?

The identity and whereabouts of Cl0p remain unknown.

The FBI stated it’s "aware of and investigating” the attacks. In addition, the U.S. State Department has offered a $10 million bounty for information linking cl0p to foreign governments.

According to the Cybersecurity and Infrastructure Security Agency (CISA), the Cl0p ransomware gang began exploiting the previously unknown vulnerability in MOVEit software starting on May 27.

Typically, Cl0p will send ransom notes that threaten to publish the stolen files on the Cl0p data leak site unless victims agree to pay the ransom amount.

Similar attacks affected SolarWinds in 2021, later breaching Linoma servers in 2023. Sony, Shell PLC, and leading U.S. pension fund Calpers are also Cl0p victims.

How BofA customers might be affected

Impacted BofA customers could become victims of identity theft.

As a result, they could receive bills for merchandise they did not purchase. They could also receive debt calls for accounts opened in their name without their permission.

This kind of unauthorized account activity could significantly reduce their credit scores and impact their ability to borrow.

The personal information leaked also makes the victims more susceptible to “phishing” scams in which criminals attempt to gain more account information via misleading texts and calls.

EY has offered those impacted 24 months of credit monitoring and identity theft protection services. The firm also urged victims to keep an eye out for unauthorized financial activity.