Infosys Agrees to $17.5 Million Settlement in Data Breach Class Action Lawsuits

In a significant cybersecurity incident, Indian IT services giant Infosys has disclosed that its U.S. subsidiary, Infosys McCamish Systems, has entered into a settlement agreement involving a payout of $17.5 million. This settlement addresses six class action lawsuits stemming from a data breach that impacted the personal information of more than 6 million individuals.

In filings made public on March 13, Infosys revealed that its subsidiary, which specializes in life insurance and retirement software services in the U.S., decided to consolidate claims through this financial settlement. The resolution was achieved without any admission of liability.

According to the company, the terms of this settlement await validation and further diligence by the plaintiffs, in addition to necessary court approvals. The class action lawsuits followed a profound breach at Infosys McCamish Systems, which occurred between October 29 and November 2, 2023. During this period, threat actors gained unauthorized access to the company’s systems, exfiltrating sensitive customer data before encrypting the systems with ransomware.

The notorious LockBit ransomware group claimed responsibility for the attack, alleging that it had encrypted over 2,000 corporate systems. They also asserted that Infosys McCamish Systems offered a $50,000 ransom for the recovery of the stolen data, which reportedly fell short of their demands.

The breach exposed critical personal information across various categories, including Social Security numbers, birth dates, medical treatment records, email addresses, passwords, and financial data. In their statements, Infosys noted that both individual and corporate customer data had been subject to unauthorized access and exfiltration.

In an April 2024 disclosure, Infosys acknowledged that approximately 6.08 million people were affected by this ransomware attack, which also included notifications sent to around 57,000 customers of Bank of America. One of the lawsuits accused the company of negligence in implementing robust cybersecurity measures, putting customers at risk of banking and tax fraud, identity theft, and other cybercrimes.

The plaintiffs contended that Infosys failed to provide timely notifications regarding the security breach and did not adequately inform affected individuals about the incident’s particulars, including exploited vulnerabilities and the steps taken to mitigate future risks. This alleged lack of communication could have severely hindered the affected parties’ ability to safeguard against the ramifications of the breach.