In late 2023, Infosys McCamish Systems LLC suffered a **ransomware attack** that led to a **massive data breach**, compromising the **personal, biometric, financial, and protected health information** of approximately **3.7 million individuals** in the U.S. The breach exposed sensitive data, resulting in a **$17.5 million class-action settlement** to address claims of **identity theft risks, financial fraud, and inadequate security measures**. Victims were offered **up to $6,000 in reimbursements** for documented losses (e.g., fraud, legal fees, credit monitoring) and **two years of credit monitoring with $1 million identity theft insurance**. The lawsuit alleged **failure to protect data and delayed breach notifications**, though the company denied liability. The attack’s scale and the **highly sensitive nature of leaked data**—including health and financial records—posed severe risks to affected individuals, leading to legal and reputational consequences for the company.
Source: https://www.claimdepot.com/settlements/infosys-data-settlement
TPRM report: https://www.rankiteo.com/company/mccamish-systems-an-infosys-company
"id": "mcc4892848092325",
"linkid": "mccamish-systems-an-infosys-company",
"type": "Ransomware",
"date": "6/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': '3.7 million individuals',
'industry': ['Information Technology',
'Business Process Outsourcing',
'Insurance Services'],
'location': 'United States',
'name': 'Infosys McCamish Systems LLC',
'type': 'Subsidiary (BPO/IT Services)'}],
'attack_vector': 'Ransomware',
'customer_advisories': ['Credit monitoring offered (2 years, $1M identity '
'theft insurance)',
'Cash payments up to $6,000 for documented losses',
'$30 residual cash payment per claimant'],
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': '3,700,000',
'personally_identifiable_information': ['Names',
'Addresses',
'Social Security '
'Numbers',
'Biometric Data',
'Financial Account '
'Information',
'Health Records'],
'sensitivity_of_data': 'High (includes PHI, biometrics, '
'financial data)',
'type_of_data_compromised': ['Personal Information',
'Biometric Data',
'Financial Information',
'Protected Health Information '
'(PHI)']},
'date_detected': '2023-10-29',
'description': 'Infosys McCamish Systems LLC experienced a ransomware attack '
'in late 2023, compromising the personal, biometric, '
'financial, and protected health information of approximately '
'3.7 million individuals. The company agreed to a $17.5 '
'million class action settlement to resolve allegations of '
'inadequate data protection and delayed breach notification.',
'impact': {'brand_reputation_impact': 'Significant (class action settlement, '
'public disclosure of breach)',
'customer_complaints': 'Class action lawsuit filed by affected '
'individuals',
'data_compromised': ['Personal Information',
'Biometric Data',
'Financial Information',
'Protected Health Information (PHI)'],
'financial_loss': '$17.5 million (settlement fund)',
'identity_theft_risk': 'High (3.7 million individuals affected, '
'credit monitoring offered)',
'legal_liabilities': "$17.5 million settlement, attorneys' fees up "
'to $5.83 million, potential regulatory fines',
'payment_information_risk': 'Yes (financial information '
'compromised)'},
'initial_access_broker': {'high_value_targets': ['Personal Data',
'Biometric Data',
'Financial Data',
'PHI']},
'investigation_status': 'Settled (class action lawsuit resolved)',
'motivation': ['Financial Gain', 'Data Theft'],
'post_incident_analysis': {'corrective_actions': ['$17.5M settlement fund',
'Credit monitoring for '
'affected individuals',
'Legal compliance '
'improvements (implied)'],
'root_causes': ['Inadequate data protection '
'measures',
'Delayed breach notification']},
'ransomware': {'data_encryption': 'Yes (implied by ransomware attack)',
'data_exfiltration': 'Yes'},
'references': [{'source': 'Class Action Settlement Notice (McNally v. Infosys '
'McCamish Systems LLC)'},
{'source': 'Kroll Settlement Administration LLC'}],
'regulatory_compliance': {'legal_actions': ['Class action lawsuit (settled '
'for $17.5M)'],
'regulations_violated': ['Potential HIPAA (PHI '
'exposure)',
'State data breach '
'notification laws '
'(untimely notice)']},
'response': {'communication_strategy': ['Settlement notices to class members',
'Public disclosure via settlement '
'website'],
'incident_response_plan_activated': 'Yes (settlement implies '
'post-breach actions)',
'remediation_measures': ['Class action settlement ($17.5M)',
'Credit monitoring for affected '
'individuals'],
'third_party_assistance': ['Kroll Settlement Administration LLC '
'(claims processing)']},
'stakeholder_advisories': ['Settlement notices sent to 3.7M affected '
'individuals'],
'title': 'Infosys McCamish Systems LLC Ransomware Attack and Data Breach '
'(2023)',
'type': ['Data Breach', 'Ransomware Attack']}