Infosys Settles Data Breach Class Action Lawsuits for $17.5M

Indian IT services company Infosys said its U.S. subsidiary Infosys McCamish Systems agreed to pay $17.5 million to settle six class action lawsuits related to a cybersecurity incident that compromised the personal information of more than 6 million people.

See Also: Top 10 Technical Predictions for 2025

Infosys in regulatory filings Friday disclosed that Infosys McCamish Systems LLC, a subsidiary that provides life insurance and retirement software and services in the U.S., has agreed to settle several class action lawsuits in the U.S. by paying $17.5 million into a consolidated fund.

Infosys McCamish Systems and the plaintiffs settled the claims on March 13 “without admission of any liability,” Infosys said.

“The proposed terms are subject to confirmation and due diligence by the plaintiffs, finalization of the terms of the settlement agreement, as well as preliminary and final court approval,” the company said.

The class action lawsuits followed a major breach at Infosys McCamish Systems in November 2023 in which attackers gained unauthorized access to its systems between Oct. 29 and Nov. 2, 2023, exfiltrated customer data and encrypted the systems with ransomware.

The LockBit ransomware group claimed responsibility for the cyberattack, saying on its leak site that it encrypted more than 2,000 corporate systems. The ransomware-as-a-service group also claimed that Infosys McCamish Systems offered a $50,000 ransom payment to buy back the stolen data, but it wasn’t enough.

The company said the compromised data included Social Security Numbers, dates of birth, medical treatment information, email addresses, passwords, driver’s license numbers, financial account information, payment card information, passport numbers, tribal ID numbers and U.S. military ID numbers.

In an April 2024 stock exchange filing, the company said, “McCamish also identified corporate customers whose business data was subject to unauthorized access and exfiltration. McCamish will be notifying its impacted customers and intends to work with these customers to support their respective reporting obligations, as appropriate.”

Infosys in June said that the ransomware attack affected about 6.08 million people. Infosys McCamish Systems had previously informed the attorney general’s office that the data breach incident affected about 57,000 Bank of America customers (see: Insurance Software Vendor Notifies 6.1 Million of 2023 Hack).

One of the class-action lawsuits alleged that the company failed to implement adequate and reasonable cybersecurity measures to protect customers’ private information and exposed them to various cyber risks such as banking fraud, tax returns fraud, impersonation scams and identity fraud.

The lawsuit also alleged that the company failed to notify affected customers promptly about the data security incident, and when it did, it failed to inform them about the details of the incident, the vulnerabilities exploited, and the remedial measures taken to prevent a similar incident from reoccurring. “Without these details, plaintiff’s and class members’ ability to mitigate the harms resulting from the data breach is severely diminished,” the lawsuit alleges.