In March 2025, Indian IT services company Infosys made headlines as its U.S. subsidiary, Infosys McCamish Systems, agreed to pay a whopping $17.5 million to settle six class action lawsuits stemming from a significant cybersecurity incident that impacted over 6 million individuals. The incident, which occurred in November 2023, involved unauthorized access to Infosys McCamish Systems’ systems, data exfiltration, and encryption of systems with ransomware.
The cyberattack, which took place between October 29 and November 2, 2023, was attributed to the LockBit ransomware group, who claimed responsibility for encrypting more than 2,000 corporate systems, including those of Infosys McCamish Systems. The group demanded a $50,000 ransom payment, but Infosys McCamish Systems’ offer was deemed insufficient by the attackers.
The compromised data included a treasure trove of sensitive information such as Social Security Numbers, dates of birth, medical treatment details, email addresses, passwords, driver’s license numbers, financial account information, payment card details, passport numbers, tribal ID numbers, and U.S. military ID numbers. Following the breach, Infosys McCamish Systems identified corporate customers whose business data had also been exposed and committed to notifying and supporting them in their reporting obligations.
By June 2024, Infosys revealed that approximately 6.08 million individuals were affected by the ransomware attack. Notably, the data breach incident also impacted approximately 57,000 Bank of America customers, as disclosed by Infosys McCamish Systems to the attorney general’s office. Subsequently, several class-action lawsuits were filed against the company, with plaintiffs alleging that Infosys had failed to implement adequate cybersecurity measures, thereby exposing customers to various cyber risks.
One of the lawsuits specifically accused Infosys of neglecting to promptly notify affected customers about the data security incident and failing to provide important details such as the vulnerabilities exploited and remedial measures taken to prevent future breaches. This lack of transparency was perceived as hindering the affected individuals’ ability to mitigate the potential harms resulting from the breach.
In response to the legal action, Infosys McCamish Systems entered into a settlement agreement with the plaintiffs in March 2025, without admitting any liability. The proposed settlement amount of $17.5 million, subject to court approval, was intended to address the claims and bring closure to the legal disputes arising from the cybersecurity incident. The company expressed its commitment to cybersecurity and data protection moving forward, underscoring the importance of safeguarding customer information and ensuring robust security measures.
This high-profile case serves as a stark reminder of the far-reaching implications of cyberattacks on organizations and individuals alike. As the digital landscape continues to evolve, businesses must prioritize cybersecurity and risk management to protect sensitive data and maintain the trust of their stakeholders.