.webp?w=1600&resize=1600,900&ssl=1 "Infosys")
Indian technology giant Infosys Limited has agreed to pay $17.5 million to settle six class action lawsuits from a significant data breach at its U.S. subsidiary, Infosys McCamish Systems LLC (McCamish).
The settlement, announced on March 14, 2025, resolves allegations related to a cybersecurity incident that compromised the personal information of approximately 6.5 million individuals across the United States.
The cyber incident between October 29 and November 2, 2023, involved unauthorized access to McCamish’s systems, followed by data exfiltration and ransomware deployment.
.png
)
The LockBit ransomware group claimed responsibility for the attack. It allegedly encrypted more than 2,000 corporate systems and demanded a ransom payment.
Details of the Breach and Settlement
In a regulatory filing with the Securities and Exchange Commission (SEC), Infosys disclosed that McCamish and the plaintiffs engaged in mediation on March 13, 2025, resulting in an agreement in principle.
Under the proposed settlement terms, McCamish will pay $17.5 million into a fund to resolve all pending litigation.
“This proposed agreement would settle all the pending class action lawsuits and resolve all allegations made in this matter,” Infosys stated in its filing to stock exchanges.
The company emphasized that the settlement would resolve the allegations without admitting liability. The cybersecurity incident significantly impacted McCamish, specializing in life insurance and retirement software solutions for the U.S. market.
In April 2024, McCamish reported that approximately 6.5 million individuals were affected by the data breach, a substantial increase from the initially reported figure of 57,000.
The compromised personally identifiable information (PII) included names, addresses, Social Security numbers, driver’s license numbers, dates of birth, email addresses, usernames, passwords, financial account information, and medical data.
Customers of major financial institutions, including Bank of America and Fidelity Investments Life Insurance Company, were affected.
Following the breach, McCamish implemented comprehensive incident response protocols, working with cybersecurity experts to mitigate the compromise.
The company reported that by December 31, 2023, it had “substantially remediated and restored the affected applications and systems.”
The cyber incident resulted in significant financial implications for Infosys, including loss of contracted revenues and approximately $38 million in costs related to remediation, restoration, communication efforts, investigative processes, analysis, and legal services.
The six class action lawsuits were consolidated with a complaint filed on behalf of all U.S. residents whose personally identifiable information was compromised.
The lawsuits alleged negligence, failure to implement adequate cybersecurity measures, and delayed notification to affected individuals.
The proposed settlement terms remain subject to the plaintiffs’ confirmation and due diligence, the finalization of the settlement agreement, and both preliminary and final court approval.
Once approved, the agreement will also resolve related class action lawsuits against McCamish’s customers.
This settlement comes amid increasing regulatory scrutiny and financial penalties related to data breaches across various industries. Several other major companies recently announced similar multi-million-dollar settlements for cybersecurity incidents.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
