On April 16, 2024, the Maine Office of the Attorney General disclosed that Bank of America suffered an **inadvertent data breach** caused by a **Merrill employee’s email error**, leading to the **unauthorized exposure of customer information**. The incident impacted **2,676 individuals**, including **18 Maine residents**, though the exact nature of the exposed data (e.g., financial details, personal identifiers) was not fully specified. In response, Bank of America offered affected individuals **two years of complimentary identity theft protection** via **Experian IdentityWorks™** to mitigate potential risks such as fraud or identity misuse. The breach did not involve malicious cyber activity like hacking or ransomware but stemmed from **human error**, highlighting vulnerabilities in internal data-handling protocols. While no evidence suggested exploitation of the exposed data, the incident underscored the reputational and operational risks associated with **employee-driven data leaks**, particularly for a major financial institution. The breach’s scope—though limited in scale—raised concerns about compliance with data protection regulations and the bank’s ability to safeguard sensitive customer information.
TPRM report: https://www.rankiteo.com/company/bank-of-america
"id": "ban721082025",
"linkid": "bank-of-america",
"type": "Breach",
"date": "4/2024",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': '2,676 (including 18 Maine '
'residents)',
'industry': 'Banking/Financial Services',
'location': 'United States (Maine residents among '
'affected)',
'name': 'Bank of America (via Merrill)',
'size': 'Large (Multinational)',
'type': 'Financial Institution'}],
'attack_vector': 'Human Error (Email Misconfiguration)',
'customer_advisories': ['Offer of 2-year Experian IdentityWorks™ membership'],
'data_breach': {'number_of_records_exposed': '2,676',
'personally_identifiable_information': 'Likely (Given '
'Identity Theft '
'Protection Offer)',
'sensitivity_of_data': 'Moderate to High (PII likely '
'included)',
'type_of_data_compromised': 'Customer Information (Details '
'Unspecified)'},
'date_detected': '2024-04-16',
'date_publicly_disclosed': '2024-04-16',
'description': 'The Maine Office of the Attorney General reported that Bank '
'of America experienced an inadvertent disclosure of customer '
'information on April 16, 2024, due to a Merrill employee '
'email error, affecting a total of 2,676 individuals, '
'including 18 Maine residents. Bank of America is offering a '
'complimentary two-year membership in identity theft '
'protection services through Experian IdentityWorks™.',
'impact': {'brand_reputation_impact': 'Potential (Mitigated by Identity Theft '
'Protection Offer)',
'data_compromised': ['Customer Information'],
'identity_theft_risk': 'High (Mitigated by Experian IdentityWorks™ '
'Offer)'},
'investigation_status': 'Disclosed (No Further Details)',
'post_incident_analysis': {'root_causes': ['Human Error (Merrill Employee '
'Email Misconfiguration)']},
'references': [{'date_accessed': '2024-04-16',
'source': 'Maine Office of the Attorney General'}],
'regulatory_compliance': {'regulatory_notifications': ['Maine Office of the '
'Attorney General']},
'response': {'communication_strategy': ['Notification to affected individuals '
'via Maine AG report'],
'incident_response_plan_activated': 'Likely (Standard Protocol '
'for Data Breaches)',
'remediation_measures': ['Offering 2-year complimentary identity '
'theft protection (Experian '
'IdentityWorks™)'],
'third_party_assistance': ['Experian (IdentityWorks™ Services)']},
'title': 'Bank of America Inadvertent Disclosure of Customer Information via '
'Merrill Employee Email Error',
'type': 'Data Breach (Inadvertent Disclosure)'}