March 21, 2025 — Infosys Limited, India’s second-largest IT services provider, has reached a significant milestone in resolving the fallout from a major cybersecurity breach involving its U.S. subsidiary, Infosys McCamish Systems LLC.
The company has agreed to pay $17.5 million to settle six class action lawsuits filed in the United States.
These lawsuits stemmed from a ransomware attack and data breach in late 2023 that compromised the sensitive personal information of approximately 6.5 million individuals.
Background of the Cyber Incident
The breach occurred between October 29 and November 2, 2023, when the LockBit ransomware group infiltrated Infosys McCamish’s systems.
The attackers encrypted files and exfiltrated vast amounts of sensitive data, including Social Security numbers, driver’s license details, financial account information, and even medical records.
Initially, Infosys McCamish offered $50,000 to prevent the release of stolen data; however, this offer was rejected by the attackers, who subsequently leaked the data.
By December 31, 2023, Infosys McCamish had substantially restored its affected systems with the help of third-party cybersecurity experts.
A forensic investigation confirmed that both personal and business data had been accessed and stolen.
The breach impacted not only individuals but also several customers of Infosys McCamish, including major financial institutions like Bank of America and Fidelity Investments Life Insurance Company.
Legal Actions and Settlement
In response to the breach, six class action lawsuits were filed in U.S. courts on behalf of affected individuals.
These lawsuits were consolidated into a single action in November 2024.
Mediation efforts culminated on March 13, 2025, when Infosys McCamish reached an agreement in principle with the plaintiffs.
Under the proposed settlement terms:
- Infosys McCamish will pay $17.5 million into a settlement fund.
- This fund will address claims from all affected parties, including customers impacted by the breach.
- The settlement resolves all allegations without any admission of liability by Infosys or its subsidiary.
The agreement is subject to several conditions, including due diligence by the plaintiffs and preliminary and final court approvals.
Impact on Infosys
The cyber incident has had notable financial repercussions for Infosys.
In addition to the settlement amount:
- The company incurred costs related to system restoration and third-party cybersecurity investigations.
- Its operating margins were reduced by approximately 60 basis points following the breach.
- Regulatory filings indicated that significant resources were allocated to manage legal disputes and remediate systems.
Despite these challenges, Infosys has reiterated its commitment to strengthening its cybersecurity infrastructure.
The company emphasized that data protection remains a top priority as it works to rebuild trust among stakeholders.
Industry Implications
This settlement highlights growing concerns about cybersecurity risks in an increasingly digital world.
Large-scale data breaches are becoming more frequent, with attackers targeting sensitive information stored by corporations.
Legal settlements like this one underscore the importance of robust cybersecurity measures and timely incident response protocols.
Next Steps
The proposed settlement awaits court approval before it can be finalized.
Once approved, it will bring closure to one of the largest cybersecurity incidents faced by Infosys McCamish Systems.
For investors and stakeholders tracking developments on major stock exchanges such as BSE Limited (BSE), National Stock Exchange of India Limited (NSE), and New York Stock Exchange (NYSE), this resolution marks an important step forward for Infosys as it seeks to mitigate reputational damage and focus on future growth opportunities.
Also Read:
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The company has agreed to pay $17.5 million to settle six class action lawsuits filed in the United States.){kind=link}