• Home
  • cyber
  • Infosys Ltd. and ESOP Direct: Infosys Data Breach Lawsuit Investigation
cyber Breach

Infosys Ltd. and ESOP Direct: Infosys Data Breach Lawsuit Investigation

Oct 29, 2025 2 min read
Infosys Ltd. and ESOP Direct: Infosys Data Breach Lawsuit Investigation

Infosys Data Breach Exposes Sensitive Employee Data via Third-Party Vendor

A data breach at Infosys Ltd., a global IT services and consulting giant, has exposed sensitive personal and financial information of employees through a third-party vendor. The incident, traced to ESOP Direct the administrator of Infosys’ employee share scheme occurred on October 29, 2025, but was only disclosed to the Massachusetts Attorney General’s office on March 12, 2026.

The breach compromised data belonging to at least 17 Massachusetts residents, though the total number of affected individuals across other states remains unspecified. Exposed information includes names, addresses, phone numbers, transaction receipts, bank identifier codes, payment amounts, bank account details, and government IDs.

Infosys, headquartered in Bengaluru, India, is a Fortune 500 company with over 250,000 employees and operations in 50+ countries, providing IT services, digital banking solutions, and consulting. The firm, listed on the New York Stock Exchange, has faced scrutiny as legal teams investigate potential compensation claims for affected individuals.

The incident highlights risks associated with third-party vendors handling sensitive employee data, particularly in global enterprises. Further details on the breach’s scope and remediation efforts are pending.

Source: https://www.claimdepot.com/investigations/infosys-data-breach-2026

Infosys cybersecurity rating report: https://www.rankiteo.com/company/infosys

ESOP Direct - A Qapita Company cybersecurity rating report: https://www.rankiteo.com/company/esopdirect

"id": "INFESO1773692833",
"linkid": "infosys, esopdirect",
"type": "Breach",
"date": "10/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'At least 17 Massachusetts '
                                              'residents (total unspecified)',
                        'industry': 'IT Services and Consulting',
                        'location': 'Bengaluru, India',
                        'name': 'Infosys Ltd.',
                        'size': '250,000+ employees',
                        'type': 'Corporation'}],
 'attack_vector': 'Third-Party Vendor Compromise',
 'data_breach': {'number_of_records_exposed': 'At least 17 (total unspecified)',
                 'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Names',
                                              'Addresses',
                                              'Phone numbers',
                                              'Transaction receipts',
                                              'Bank identifier codes',
                                              'Payment amounts',
                                              'Bank account details',
                                              'Government IDs']},
 'date_detected': '2025-10-29',
 'date_publicly_disclosed': '2026-03-12',
 'description': 'A data breach at Infosys Ltd., a global IT services and '
                'consulting giant, has exposed sensitive personal and '
                'financial information of employees through a third-party '
                'vendor. The incident, traced to ESOP Direct, the '
                'administrator of Infosys’ employee share scheme, occurred on '
                'October 29, 2025, but was only disclosed to the Massachusetts '
                'Attorney General’s office on March 12, 2026. The breach '
                'compromised data belonging to at least 17 Massachusetts '
                'residents, though the total number of affected individuals '
                'across other states remains unspecified. Exposed information '
                'includes names, addresses, phone numbers, transaction '
                'receipts, bank identifier codes, payment amounts, bank '
                'account details, and government IDs.',
 'impact': {'brand_reputation_impact': 'Potential scrutiny and legal '
                                       'investigations',
            'data_compromised': 'Sensitive personal and financial information '
                                'of employees',
            'identity_theft_risk': 'High',
            'legal_liabilities': 'Potential compensation claims for affected '
                                 'individuals',
            'payment_information_risk': 'High'},
 'investigation_status': 'Ongoing',
 'lessons_learned': 'Highlights risks associated with third-party vendors '
                    'handling sensitive employee data, particularly in global '
                    'enterprises.',
 'post_incident_analysis': {'root_causes': 'Third-party vendor (ESOP Direct) '
                                           'compromise'},
 'references': [{'source': 'Massachusetts Attorney General’s office'}],
 'regulatory_compliance': {'legal_actions': 'Potential compensation claims '
                                            'under investigation',
                           'regulatory_notifications': 'Massachusetts Attorney '
                                                       'General’s office'},
 'response': {'communication_strategy': 'Disclosed to Massachusetts Attorney '
                                        'General’s office'},
 'title': 'Infosys Data Breach Exposes Sensitive Employee Data via Third-Party '
          'Vendor',
 'type': 'Data Breach'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.