Bank of America’s own systems were never hacked.
Read that again. The second-largest bank in the United States — with enterprise-grade security infrastructure and billions spent on cybersecurity — had customer data exposed multiple times across 2023–2025. Not because attackers got through their firewall. Because of the vendors they trusted to handle their data.
That distinction matters a lot if you run a business in Cincinnati, Florence, or Northern Kentucky.
Three Vendors. Three Failures. One Pattern.
Hit #1 — MOVEit / Ernst & Young (May 2023) The Clop ransomware gang exploited a zero-day vulnerability in MOVEit Transfer, a widely used file transfer platform. Ernst & Young, which Bank of America used to handle certain financial services, had MOVEit running in their environment. Clop walked in through that door and exposed the financial account details, credit card numbers, and Social Security numbers of 30,210 Bank of America customers.¹ BofA’s own servers were untouched.²
Hit #2 — Infosys McCamish / LockBit (November 2023) LockBit ransomware hit Infosys McCamish Systems, a retirement and insurance software provider that serviced Bank of America’s deferred compensation plans. Attackers accessed systems for four days before deploying ransomware and encrypting over 2,000 corporate systems.³ The fallout: names, Social Security numbers, dates of birth, account numbers, driver’s license numbers, and salary information — exposed for 57,028 customers.⁴ BofA didn’t find out until three weeks after the breach occurred.⁵
Hit #3 — Document Destruction Vendor (December 2024) This one wasn’t a cyberattack. On December 30, 2024, a third-party document destruction vendor failed to secure Bank of America materials during transport. Physical documents — containing names, SSNs, account numbers, dates of birth, addresses, and financial details — were found outside their secure containers on the exterior of a financial center.⁶ The vendor couldn’t confirm exactly whose records were affected, so BofA had to notify anyone who could have been impacted.⁷
Three separate incidents. Three separate vendors. Zero breaches of Bank of America’s direct infrastructure.
The Uncomfortable Takeaway for Local Businesses
If it can happen to Bank of America, it can happen to your firm.
Your clients trust you the same way BofA customers trusted their bank — with financial records, SSNs, tax documents, account details. And just like BofA, your security posture is only as strong as every vendor, software provider, and service partner with access to that data.
Accounting and CPA firms. Law offices. Financial advisors. These are the exact organizations running the same risk right now — payroll processors, tax software platforms, document management vendors, and cloud storage providers all represent potential entry points that your own IT setup doesn’t directly control.
The 2025 Verizon Data Breach Investigations Report confirmed that third-party breaches doubled in a single year.⁸ MOVEit alone affected over 2,700 organizations.⁹ Any one of them could have been a vendor of yours.
What Ongoing IT Partnership Actually Changes
The BofA incidents share something else in common: slow detection. The IMS breach ran for four days before it was caught. BofA customers weren’t notified until weeks later.
That lag is where real damage happens — and it’s where having a dedicated local IT partner changes the outcome. Not a national support line. Not a chatbot triaging your ticket while you’re trying to figure out which clients may be affected.
CMIT Solutions works directly with businesses across the Tri-State area — auditing vendor relationships, monitoring for anomalies across your technology environment, and building the incident response documentation that means you’re not making decisions from scratch when something goes wrong.
The question isn’t whether your vendors are being targeted. They are. The question is whether you’ll know about it in four days or four months.
Ready to talk to a real person about your vendor risk exposure? Reach out directly to Mike Martini at mmartini@cmitsolutions.com or book a consultation with our local team at cmitsolutions.com/florence-ky-1041/contact-us/
No bots. No ticket queues. Just a straight conversation with someone who knows this market.
Sources: ¹²Security.org, Mar. 2026 ³⁴⁵Security.org / Cybernews, Feb. 2024 ⁶⁷Washington Times / Mass.gov, Mar. 2025 ⁸Tech Advisory, Nov. 2025 ⁹Wikipedia / BleepingComputer, 2023
CMIT Solutions | Serving Cincinnati, Florence, Covington & Northern Kentucky Managed IT | Cybersecurity | Secure AI Workspace | Local Support