In a significant development, Infosys Ltd, headquartered in Bengaluru, has put forth a proposal to settle class action lawsuits arising from a data breach incident involving its US subsidiary, Infosys McCamish Systems (IMS). This breach, which occurred in November 2023 as a result of a ransomware attack, has raised severe concerns regarding the cybersecurity posture of the involved entities. The announcement, made via a statement to stock exchanges, indicates that the proposed agreement aims to resolve all ongoing class action litigations and to address the allegations contained within them.
Following mediation on March 13, 2025, between Infosys and the plaintiffs, an agreement was reached not only to settle the lawsuits against IMS but also those involving its clients. According to the terms of the proposed settlement, IMS is committed to depositing $17.5 million into a fund designed to address these issues. However, the agreement is contingent upon validation by the plaintiffs, finalization of the settlement terms, and the subsequent approval by the courts, both preliminary and final. Importantly, if the settlement is ratified, it will resolve all allegations without any admission of liability by Infosys or IMS.
The data breach itself, which was confirmed by Infosys through communications with the stock exchanges in November 2023, led to a disruption of numerous applications and systems at IMS, a wholly owned subsidiary of Infosys BPM Limited. While the company has refrained from disclosing the precise impact of the breach, they acknowledged the situation and stated their commitment to collaborating with a leading cybersecurity firm to expedite resolution efforts. An independent investigation has been initiated to ascertain the extent of the breach and potential ramifications for data and systems.
Reports indicate that IMS has engaged Unit 42, a division of Palo Alto Networks, to assess the specific effects of the ransomware attack on its clients, while Ernst & Young has been brought in to evaluate the overall impact. Allegations emerging from the class action suits suggest that sensitive information belonging to approximately 6 million individuals—such as names, addresses, Social Security numbers, and dates of birth—may have been compromised. Notable clients of IMS, including John Hancock Life Insurance, Newport Group, and Bank of America, are also facing the specter of potential class action litigation due to their association with IMS.
This incident raises critical questions regarding the security measures in place at IMS, particularly as it appears to align with several tactics outlined in the MITRE ATT&CK Matrix. Potential adversary tactics employed in the ransomware attack could include initial access methods such as spear phishing or exploitation of vulnerabilities within the company’s systems. Persistence techniques might have allowed attackers to maintain their foothold, while privilege escalation tactics could have facilitated access to sensitive data.
In light of the breach, business owners are reminded of the imperative to bolster cybersecurity frameworks and to remain vigilant against evolving threats. This case serves as a potent reminder of the consequences that accompany insufficient cybersecurity defenses, highlighting the necessity for robust incident response strategies and continuous risk assessments in today’s digital landscape. As the situation unfolds, stakeholders will be watching closely for judicial responses and further developments regarding the settlement and its implications for affected clients.
