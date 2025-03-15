The cybersecurity incident involves the company’s Infosys McCamish Systems (IMS), a subsidiary of Infosys BPM which has agreed to pay $17.5 million (Rs 1,521,444,208) to address all remaining class-action suits and remove allegations against the company’s US unit.

Narayana Murthy’s Infosys, involved in legal troubles over a 2023 cybersecurity incident, has made an agreement with the petitioner that filed a lawsuit against the Indian tech company in 2023 alleging a cybersecurity issue. The cybersecurity incident involves the company’s Infosys McCamish Systems (IMS), a subsidiary of Infosys BPM which has agreed to pay $17.5 million (Rs 1,521,444,208) to address all remaining class-action suits and remove allegations against the company’s US unit.

Infosys’ statement in a stock exchange filing read, “On March 13, 2025, McCamish and the plaintiffs engaged in mediation, resulting in an agreement in principle, which sets forth the terms of a proposed settlement of class-action lawsuits against McCamish, as well as class-action lawsuits filed against McCamish's customers. Under the proposed settlement terms, McCamish agreed to pay $17.5 million into a fund to settle this matter.”

What is the cybersecurity incident of 2023

Infosys faced a cybersecurity threat in November 2023, it noted that “IMS systems were encrypted by ransomware” resulting in the non-availability of certain applications and systems. It said that on November 2, 2023, “IMS began an investigation with the assistance of third-party cybersecurity experts.” It also said that it made law enforcement aware about the matter. “Investigation determined that unauthorized activity occurred between October 29, 2023, and November 2, 2023. Through the investigation, it was also determined that data was subject to unauthorized access and acquisition,” it said.

The company also stated that some of its customers’ data may be affected. According to Infosys, the affected data included personal information like “Social Security Number, date of birth, medical treatment/record information, biometric data, email address and password, Driver’s License number or state ID number, financial account information, payment card information, passport number, tribal ID number, and U.S. military ID number.”

Infosys McCamish is a business process outsourcing (BPO) firm specializing in financial services, particularly life insurance, annuities, and retirement plans. It also resells software to industry-specific clients. Infosys acquired McCamish in 2009 as part of its BPM (Business Process Management) division. In 2024, according to cybersecurity analysts the LockBit ransomware gang took responsibility for the attack. The same year, Bank of America (BofA), one of the main customers of Infosys, said that IMS was the source of the data security threat affecting as many as 57,028 of its customers.

Infosys stated that the proposed settlement terms are contingent upon verification and review by the plaintiffs, completion of the settlement agreement, and preliminary and final approval from the court. “Once approved, the settlement will resolve all allegations made in the class-action lawsuits without admission of any liability,” the filing said.