Indian technology company Infosys Limited has reached an agreement with the plaintiffs in six class action lawsuits filed in the US against its wholly owned subsidiary Infosys McCamish System (McCamish) over a 2023 data breach.
McCamish, which specializes in insurance solutions, disclosed the incident in November 2023, in a filing with the US Securities and Exchange Commission, saying that customer data was compromised in a cyberattack, but refrained from sharing further details.
In early 2024, Bank of America and Fidelity Investments Life Insurance Company notified tens of thousands of individuals that their personal information was stolen in data breaches related to the cyberattack on McCamish.
In an April 2024 update, McCamish said that it had determined with the aid of a third-party e-discovery vendor that approximately 6.5 million individuals were impacted by the incident.
In January 2025, McCamish told the SEC that it had “substantially remediated and restored the affected applications and systems” by December 31, 2023. It also said that the class action lawsuits were consolidated and that the parties agreed to resolve the conflict through mediation.
“All six actions have since been consolidated, and the consolidated class action complaint was filed on November 7, 2024, purportedly on behalf of all persons residing in the United States whose personally identifiable information was compromised in the incident, including all who were sent a notice of the incident,” the company said.
Last week, the company notified the SEC and the National Stock Exchange of India that it has reached an agreement with the plaintiffs, and that it would pay $17.5 million as part of the settlement.
“This proposed agreement would settle all the pending class action lawsuits and resolve all allegations made in this matter,” the company said (PDF).
The agreement settles both the class action lawsuits against McCamish and those filed against its customers over the data breach, the company said.
“The proposed terms are subject to confirmation and due diligence by the plaintiffs, finalization of the terms of the settlement agreement, as well as preliminary and final court approval. Once approved, the settlement will resolve all allegations made in the class action lawsuits without admission of any liability,” McCamish noted.
Related: US Military Health Provider HNFS Pays $11M in Settlement Over Cybersecurity Failures
Related: In Other News: VPN Supply Chain Attack, PayPal $2M Settlement, RAT Builder Hacks Script Kiddies
Related: AT&T to Pay $13 Million in Settlement Over 2023 Data Breach
Related: Healthcare Provider to Pay $65M Settlement Following Ransomware Attack
