Infosys Resolves Data Breach Class Action Lawsuits with $17.5 Million Settlement

Infosys, an Indian IT services provider, has announced that its U.S. subsidiary, Infosys McCamish Systems, will pay $17.5 million to resolve six class action lawsuits stemming from a cybersecurity breach that affected over 6 million individuals. This settlement addresses claims related to an incident that involved the unauthorized access and exfiltration of sensitive personal information.

In regulatory filings made on March 13, Infosys outlined the agreement to settle the lawsuits without admitting any liability. The settlement amount will be deposited into a consolidated fund for affected individuals. The terms of the deal remain contingent upon approval from the plaintiffs and final court endorsement.

The breach, which took place between October 29 and November 2, 2023, involved cybercriminals gaining access to Infosys McCamish Systems’ infrastructure, resulting in the theft of customer data and system encryption through ransomware. The LockBit ransomware group claimed responsibility for the attack, alleging that they encrypted over 2,000 corporate systems and demanded a ransom of $50,000 for the data.

Among the compromised information were Social Security numbers, dates of birth, medical records, email addresses, passwords, financial data, and various identification numbers. This incident has raised significant concerns regarding the adequacy of the cybersecurity measures implemented by Infosys McCamish Systems, as reported in one of the lawsuits, which accused the company of failing to safeguard customers’ private information.

In an April 2024 stock exchange filing, Infosys revealed that it had also identified corporate customers whose data had been accessed during the breach and committed to notifying those parties to assist with their reporting obligations. The company previously indicated that approximately 6.08 million individuals were impacted, with specific attention drawn to about 57,000 customers of Bank of America.

The allegations against Infosys underscore broader worries in the cybersecurity realm. The lawsuits claim that the company not only neglected to implement sufficient cybersecurity protocols but also delayed notifying affected customers about the breach’s specifics and the measures taken to mitigate further risks. Such deficiencies highlight the necessity for organizations to develop robust cybersecurity frameworks in line with established standards, particularly in reference to the MITRE ATT&CK matrix, where tactics such as initial access, persistence, and privilege escalation are critical considerations for defending against similar threats.

This case serves as a reminder for businesses, particularly those in the technology sector, to reinforce their cybersecurity practices to prevent future breaches and safeguard sensitive information. In light of the increasing number of cyber incidents, proactive measures and adherence to comprehensive security strategies are essential for protecting client data and maintaining trust.