Indian tech giant Infosys Limited has agreed to pay $17.5 million to settle six class action lawsuits stemming from a major data breach
at its U.S. subsidiary, Infosys McCamish Systems LLC (McCamish).
Announced on March 14, 2025, the settlement addresses claims related to a cybersecurity incident that exposed the personal data of approximately 6.5 million individuals across the United States.
The breach, which occurred between October 29 and November 2, 2023, involved unauthorized access to McCamish’s systems, leading to data theft and a ransomware attack. The LockBit ransomware group claimed responsibility, allegedly encrypting over 2,000 corporate systems and demanding a ransom.
In a regulatory filing with the Securities and Exchange Commission (SEC), Infosys confirmed that McCamish and the plaintiffs engaged in mediation on March 13, 2025, reaching an agreement in principle. Under the proposed terms, McCamish will contribute $17.5 million to a settlement fund to resolve all pending litigation.
“This agreement would settle all class action lawsuits and resolve all related allegations,” Infosys stated in its SEC filing, emphasizing that the company does not admit liability.
McCamish, which specializes in life insurance and retirement software solutions for the U.S. market, initially reported the breach as affecting 57,000 individuals. However, by April 2024, the estimate had surged to 6.5 million.
The stolen personally identifiable information (PII) included names, addresses, Social Security numbers, driver’s license details, birth dates, email addresses, usernames, passwords, financial account information, and medical records. Customers of major financial institutions, including Bank of America and Fidelity Investments Life Insurance Company, were among those impacted.
Following the breach, McCamish enacted comprehensive incident response measures, collaborating with cybersecurity experts to contain the threat. By December 31, 2023, the company reported that it had “substantially remediated and restored affected applications and systems.”
The cyberattack resulted in significant financial losses for Infosys, including lost revenue and approximately $38 million in costs related to system restoration, communication efforts, forensic analysis, and legal services.
The lawsuits, consolidated into a single complaint, accused McCamish of negligence, inadequate cybersecurity measures, and delayed notification to affected individuals.
The proposed settlement remains subject to finalization, plaintiff confirmation, and court approval. Once finalized, it will also resolve related lawsuits filed against McCamish’s corporate clients.
This settlement comes amid growing regulatory scrutiny and increasing financial penalties for data breaches, as more companies face legal consequences for cybersecurity failures.
Found this article interesting? Follow us on X(Twitter) and Instagram to read more exclusive content we post.
