BA A.I CyberSecurity Scoring
BA
Company Information
Website:https://www.bankofamerica.com
Employees number:232,516
Number of followers:3,203,861
NAICS:52211
Industry Type:Banking
Homepage:bankofamerica.com
BA Risk Score (AI oriented)
Between 750 and 799
BABanking
Updated:
03/07/2026
03/07/2026
775/1000
Fair
Baa
BA Global Score (TPRM)
xxxx
BABanking
Score locked

BAFair
Current Score
775Baa (FAIR)
01000
5 incidents
-10 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
776
JUNE 2026
773
MAY 2026
770
APRIL 2026
770
MARCH 2026
768
FEBRUARY 2026
767
JANUARY 2026
765
DECEMBER 2025
770
Cyber Attack
01 Dec 2025 • BA
Major U.S. Bank: New Malware Targets 200,000+ U.S. Bank Employees to Steal Login Credentials
Sophisticated Keylogger Attack Targets Major U.S. Bank’s Employee Store, Exposing 200,000 to Credential Theft
760
CRITICAL-10
BAN1769475353
Sophisticated Keylogger Attack Targets Major U.S. Bank’s Employee Store, Exposing 200,000 to Credential Theft
Cybersecurity researchers have identified a highly targeted keylogger attack on the employee store of one of America’s largest banks, compromising sensitive data for over 200,000 employees. The malware intercepted all form inputs including login credentials, payment card details, and personal information raising concerns about potential lateral movement into the bank’s internal systems.
The attack exploited a critical gap in enterprise security: employee-facing ecommerce platforms, which often fall outside standard security audits despite handling corporate credentials. Since bank employees frequently have elevated access to financial systems, such platforms become prime targets for threat actors seeking initial footholds in banking infrastructure.
The malware used a two-stage loader to evade detection. The first stage employed character code obfuscation to verify users had reached checkout pages before fetching a secondary harvesting script from js-csp.com/getInjector/. The second stage systematically extracted form data including input fields, dropdown menus, and text areas before exfiltrating stolen credentials via image beacon requests to bypass security controls.
At the time of discovery, only 1 of 97 security vendors on VirusTotal flagged the malicious infrastructure, highlighting a significant detection gap for ecommerce-specific threats. The attack pattern mirrors previous campaigns, including one targeting the Green Bay Packers, and marks the fifth getInjector campaign detected in the past year. The js-csp.com domain was registered in late December 2025, with the compromise identified within weeks of deployment.
The bank’s response was delayed due to the absence of a security.txt file, a standard channel for responsible disclosure. Despite researchers’ attempts to notify the bank via email and LinkedIn, the lack of formal security contacts hindered remediation efforts. The incident underscores the need for organizations to monitor client-side scripts, include internal ecommerce platforms in security audits, and deploy specialized threat detection for this emerging attack surface.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
DATA BREACH
REFERENCES
NOVEMBER 2025
770
OCTOBER 2025
770
SEPTEMBER 2025
769
AUGUST 2025
768
FEBRUARY 2025
783
Breach
18 Feb 2025 • BA
Bank of America
Bank of America Data Breach
756
MEDIUM-27
BAN832072725
The Maine Office of the Attorney General reported a data breach related to Bank of America on March 3, 2025, involving an inadvertent disclosure that occurred on February 18, 2025. One individual was affected, and the compromised information included personal details such as names and Social Security numbers. Bank of America offered a complimentary two-year identity theft protection service by Experian.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
OCTOBER 2024
805
Breach
01 Oct 2024 • BA
Bank of America
Bank of America Data Breach (2024)
778
CRITICAL-27
BAN030091825
The Maine Office of the Attorney General disclosed a data breach affecting Bank of America, detected on October 1, 2024, and reported on January 3, 2025. The incident involved unauthorized access to sensitive personal information, compromising 414 individuals, including at least one Maine resident. While the exact nature of the exposed data was not fully detailed, the breach was severe enough to warrant 24 months of free identity theft protection services via Experian, suggesting the exposure of personally identifiable information (PII) that could facilitate fraud or identity theft. The breach highlights vulnerabilities in Bank of America’s data security measures, raising concerns over potential financial fraud, reputational damage, and regulatory scrutiny. Although the scale (414 individuals) is relatively contained compared to mass breaches, the provision of long-term identity protection indicates a high-risk exposure—likely involving financial or identity-related data (e.g., Social Security numbers, account details, or addresses). The incident underscores the persistent threat of cyber intrusions targeting financial institutions, where even limited breaches can have cascading consequences for affected individuals, including phishing attacks, unauthorized transactions, or credit fraud.
INCIDENT DETAILS -
TYPE
REFERENCES
APRIL 2024
829
Breach
16 Apr 2024 • BA
Merrill, A Bank of America Company
Bank of America Inadvertent Disclosure of Customer Information via Merrill Employee Email Error
801
HIGH-28
BAN721082025
On April 16, 2024, the Maine Office of the Attorney General disclosed that Bank of America suffered an inadvertent data breach caused by a Merrill employee’s email error, leading to the unauthorized exposure of customer information. The incident impacted 2,676 individuals, including 18 Maine residents, though the exact nature of the exposed data (e.g., financial details, personal identifiers) was not fully specified. In response, Bank of America offered affected individuals two years of complimentary identity theft protection via Experian IdentityWorks™ to mitigate potential risks such as fraud or identity misuse. The breach did not involve malicious cyber activity like hacking or ransomware but stemmed from human error, highlighting vulnerabilities in internal data-handling protocols. While no evidence suggested exploitation of the exposed data, the incident underscored the reputational and operational risks associated with employee-driven data leaks, particularly for a major financial institution. The breach’s scope—though limited in scale—raised concerns about compliance with data protection regulations and the bank’s ability to safeguard sensitive customer information.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
APRIL 2020
838
Data Leak
01 Apr 2020 • BA
Bank of America
Bank of America PPP Loan Data Breach
812
CRITICAL-26
BAN2212291222
Business clients applying for Paycheck Protection Program (PPP) loans with Bank of America have had their personal and business information exposed in a data breach.
The data breach occurred on April 22 as Bank of America uploaded customers’ PPP loan applications to the Small Business Administration’s (SBA) online testing system, which allowed lenders to test application submissions.
During the testing process, Application information was potentially visible to other lenders and their third-party vendors.
The exposed data included both business and clients’ personal information.
The affected business data may include business names, addresses, and tax identification numbers.
Affected personal data may include names, addresses, Social Security numbers, phone numbers, email addresses, and citizenship information.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for BA ??
What was BA's A.I Rankiteo Cyber Score in June 2026 ??
What was BA's A.I Rankiteo Cyber Score in May 2026 ??
What was BA's A.I Rankiteo Cyber Score in April 2026 ??
What was BA's A.I Rankiteo Cyber Score in March 2026 ??
What was BA's A.I Rankiteo Cyber Score in February 2026 ??
What was BA's A.I Rankiteo Cyber Score in January 2026 ??
What was BA's A.I Rankiteo Cyber Score in December 2025 ??
What was BA's A.I Rankiteo Cyber Score in November 2025 ??
What was BA's A.I Rankiteo Cyber Score in October 2025 ??
What was BA's A.I Rankiteo Cyber Score in September 2025 ??
What was BA's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on BA's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with BA ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view BA's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?