Infosys details type of data compromised in last year’s cyberattack

Infosys McCamish Systems (IMS), a US subsidiary of India’s IT service provider Infosys, has provided more details about the type of data compromised in last year’s cyberattack.

According to a breach notification letter submitted to the Maine Attorney General, the cybersecurity incident in late 2023 impacted more than 6 million people.

Back in November, IMS did not provide many details about the disruption and only said that the breach resulted in the “non-availability” of some applications and systems.

Only a few months later, the Bank of America revealed that the cyberattack impacted 57,000 of its customers. This, of course, highlighted the interconnected risks within the financial services landscape.

Now, IMS says it began providing written notice of the compromise to all impacted individuals and that the company had conducted a review of the incident and determined that some personal information was breached.

“The information impacted varies by individual but includes some or all of the following: Social Security Number, date of birth, medical treatment/record information, biometric data, email address and password, username and password, Driver’s License number or state ID number, financial account information, payment card information, passport number, tribal ID number, and US military ID number,” said IMS.

The firm said it was unaware of any instances in which personal information had been fraudulently used, but it still offered impacted individuals complimentary credit monitoring for 24 months.

IMS is a fully-owned subsidiary of Infosys in the US. Infosys is one of India's largest companies, with a significant global presence and over 300,000 employees worldwide.

The company has been already hit by two class action complaints over last year’s cyberattack. In March and in May, they were both filed in the US District Court for the Northern District of Georgia.

“On May 15, 2024, another class action complaint arising out of the same incident was filed in the same court against IMS. The complaint was purportedly filed on behalf of some or all individuals whose personally identifiable information was compromised in the incident,” Infosys said in a public disclosure in May.

The LockBit ransomware group claimed responsibility for the IMS hack. Having received millions in Bitcoin ransom payouts from its victims, LockBit shows no sign of slowing down, even after having its infrastructure raided by US and International law enforcement this February.