Infosys McCamish Systems agreed to settle multiple class action lawsuits that were filed because of a 2023 ransomware attack. The data breach involved unauthorized access to the personal information of over 6 million people. Infosys is India’s second-biggest IT services company and its U.S. subsidiary Infosys McCamish Systems offers life insurance and pension management software. In November 2023, Infosys McCamish Systems identified a systems breach during a ransomware attack. The forensic investigation revealed that an unauthorized threat actor accessed its systems from October 29 to November 2, 2023, extracted sensitive information, and deployed ransomware for file encryption.
The LockBit ransomware group stated it was behind the attack and issued a ransom demand in exchange for the decryption keys and stop the exposure of the stolen information. A LockBit agent said that Infosys McCamish is willing to pay $50,000 to stop the exposure of the stolen information. However, the ransomware group refused the cheap offer and leaked the stolen data.
In April 2024, Infosys McCamish gave an update on the incident explaining that the impacted systems were significantly recovered as of December 31, 2023. An investigation by third-party cybersecurity affirmed the exfiltration of sensitive data. A review by a third-party eDiscovery vendor of the compromised and stolen information confirmed that around 6.5 million people were impacted. The ransomware group likewise accessed and extracted the business information of some clients. The stolen information contained names, mailing and email addresses, telephone numbers, dates of birth, driver’s license numbers/state ID numbers, Social Security numbers, financial account numbers, policy numbers, usernames, passwords, salaries, personal health data, and other ID numbers like tribal and military ID numbers. Infosys McCamish Systems had earlier notified state attorneys general that the data breach impacted around 57,000 people. In June 2024, the company gave an update saying that the breach impacted 6.08 million individuals.
After the data breach announcement, Infosys McCamish Systems faced multiple class action lawsuits filed because of the data breach. The data breach lawsuits alleged negligence for not appropriately securing the sensitive data of clients’ customers. Due to the Infosys McCamish data breach, the plaintiffs and class members assert they have experienced real injuries such as privacy violation, lost time and opportunity while dealing with the impact of the data breach, diminished benefit of the bargain, out-of-pocket expenses, and greater exposure to identity theft, fraud, and impersonation attacks. The Infosys McCamish lawsuit additionally stated claims of negligence per se, unjust enrichment, and breach of third-party beneficiary contract.
Infosys McCamish Systems also allegedly slowed down issuing breach notifications (which could be a violation of HIPAA breach notification law if PHI is involved), and the mailed notification letters lacked some information concerning the data breach, which lessened the capability of class members to diminish the problems brought on by the data breach. Infosys McCamish Systems rejected the claims in the lawsuit and did not admit any wrongdoing. Nevertheless, it agreed to settle the lawsuit to prevent more litigation expenses and the threats and uncertainty connected with ongoing litigation.
On March 14, 2025, Infosys McCamish affirmed the agreed settlement to take care of all claims and allegations presented in six pending class action lawsuits. The particulars of the settlement are for study and confirmation by the plaintiffs. Preliminary and final court approvals are also pending confirmation.