Cyber Incident Victim: Bank of New York Mellon Corporation

On May 13, 2023, Bank of New York Mellon Corporation (BNY Mellon) filed a formal notice of a data breach with the Attorney General of Massachusetts. This filing was made after the company learned that confidential information entrusted to it had been leaked. The incident was determined to be the result of unauthorized access to a third party's information technology system. The nature of the incident indicated that the breach did not originate from or directly affect BNY Mellon's own internal computer systems. The specific identity of the third-party vendor involved in the breach was not disclosed publicly at the time of the notification. The unauthorized access led to the exposure of sensitive consumer data that had been provided to BNY Mellon.

Upon discovery that sensitive information had been made available to an unauthorized party, BNY Mellon initiated a review of the affected files. This process was undertaken to determine the precise scope of the compromised information and to identify which consumers were impacted by the security incident. The company's investigation concluded that the breached data varied from individual to individual but consistently involved the exposure of personally identifiable information. The specific data elements confirmed to have been accessed included individuals' names and Social Security numbers. The exposure of this highly sensitive information created a significant risk of identity theft and various forms of financial fraud for the affected individuals.

Following the completion of its internal review, BNY Mellon began the process of directly notifying all individuals whose information was compromised as a result of the incident. The data breach notification letters were sent out on May 13, 2023, coinciding with the filing made with the Massachusetts Attorney General. These letters served to inform recipients about the nature of the breach, the specific types of their personal information that were involved, and the potential risks associated with the exposure. As a remedial measure to assist those affected, BNY Mellon offered all impacted parties access to free credit monitoring services. This offering was intended to help individuals detect any potential misuse of their personal information following the breach.

The incident impacted clients of BNY Mellon whose personal data was stored with the compromised third-party vendor. The breach did not impact the company's core banking or investment management systems, as the unauthorized access was confined to the third party's IT environment. As a global investment bank and financial services company holding $1.9 trillion in assets under management, BNY Mellon maintains vast quantities of sensitive client data. The compromise of Social Security numbers, which are key identifiers, represented a serious security event due to the potential for long-term fraud. The company's response focused on transparency with regulators and affected individuals, as well as providing a tool to help mitigate potential future harm to those whose data was exposed. The breach notification was conducted in compliance with state data breach laws, which require companies to inform authorities and consumers when personal information is subject to unauthorized access.