Infosys settles $17.5 mn class action over US cyberattack, data breach

Bengaluru-headquartered Infosys Ltd has proposed a settlement of class action lawsuits against Infosys McCamish Systems (IMS), a US subsidiary of the company, for data breaches because of a ransomware attack in November 2023. A statement filed to the stock exchanges said the proposed agreement would settle all the pending class action lawsuits and resolve all allegations made in them. Following a mediation on March 13, 2025, between the company and the plaintiffs, an agreement has been reached to settle not only cases against the IMS, but also against its customers. “Under the proposed settlement terms, McCamish has agreed to pay $17.5 million into a fund, to settle these matters. The proposed terms are subject to confirmation and due diligence by the plaintiffs, finalisation of the terms of the settlement agreement, as well as preliminary and final court approval. Once approved, the settlement will resolve all allegations made in the class action lawsuits without admission of any liability” the statement said.

In November 2023, Infosys informed the exchanges that IMS, a subsidiary of Infosys BPM Limited (a wholly owned subsidiary of Infosys Limited), had a cybersecurity attack that had shut down several of its applications and systems. Though not commenting on the extent of the data breach, it had said in a statement, “We are working with a leading cybersecurity products provider to resolve this at the earliest and have also launched an independent investigation with them to identify potential impact on systems and data.”

According to reports, IMS had engaged Unit 42, a part of Palo Alto Networks, to examine the extent to which the ransomware had affected its clients and the resolution of the problem, and EY to determine the impact on clients. The class action suits alleged that the critical data breach had resulted in information like names, addresses, Social Security numbers, and dates of birth of around 6 million people being compromised. Among those who used IMS as a third-party vendor included John Hancock Life Insurance Co., Newport Group, and Bank of America, all of which were also facing the threat of class action suits.