After months of legal wrangling, Infosys Limited has agreed to shell out $17.5 million to settle six class action lawsuits stemming from a massive data breach at its subsidiary last year. The settlement resolves allegations without any admission of liability. Classic corporate move.
Another data breach, another eight-figure settlement without admitting anything went wrong.
The breach hit Infosys McCamish Systems, a subsidiary of Infosys BPM, exposing sensitive data of over 6 million individuals. Investigation revealed that 23 compromised IMS credentials were identified by SecurityScorecard prior to the incident. Unauthorized access happened between October 29 and November 2, 2023. The LockBit ransomware group proudly claimed responsibility, because nothing says “successful cybercrime” like a public boast.
What got stolen? Pretty much everything you wouldn’t want criminals to have. Social Security numbers. Dates of birth. Medical records. Email addresses and passwords. Financial account details. Biometric data was also among the compromised information. Identity theft starter pack, basically.
Several major financial institutions saw their customers’ data compromised. Bank of America, Fidelity Investments Life Insurance Company, Union Labor Life Insurance, and Newport Group all had to break the bad news to their clients. Nothing builds customer confidence like “Hey, remember all that personal info you trusted us with? Yeah, about that…”
Infosys claims they substantially restored their systems by December 31, 2023. They hired third-party cybersecurity experts and an eDiscovery vendor to review the exposed data. Affected individuals were offered 24 months of credit monitoring. This case highlights the critical importance of supply chain vulnerabilities that are increasingly complex to manage in modern IT environments. Notifications began June 27, 2024. Better late than never.
Initially, Infosys estimated losses at $30 million minimum. They settled for $17.5 million, but additional costs including indemnities could pile up. The settlement still needs court approval before it’s final.
The breach highlights some uncomfortable truths about third-party risk management. Companies can have Fort Knox-level security, but if their vendors are vulnerable, customer data is still at risk.
The fallout continues, with potential regulatory scrutiny over delayed notifications and industry-wide implications for cybersecurity practices. One thing’s clear—the true cost of this breach extends far beyond the settlement check.
