close
close

Another class action lawsuit against Infosys McCamish for cybersecurity incident in 2023

Another class action lawsuit was filed this month against McCamish Systems LLC, an Infosys BPO company, in the U.S. District Court for the Northern District of Georgia. The company disclosed this information in a filing with the U.S. Securities and Exchange Commission (SEC) on Wednesday evening, several weeks after the original filing.

McCamish originally experienced the cybersecurity incident that resulted in the unavailability of certain applications and systems in November 2023.

“On July 8, another class action lawsuit was filed against McCamish in the same court arising out of the same incident. The lawsuit was purportedly filed on behalf of all individuals living in the United States whose private information was accessed and/or acquired by an unauthorized party as a result of the incident. Aside from the aforementioned lawsuits, the class faces litigation and claims in the normal course of business,” the company said in a July 18 report prepared in accordance with International Financial Reporting Standards (IFRS).

In the statement, the IT giant added that the group’s management does not expect that such “ordinary” legal actions would have a material and adverse impact on the group’s business or financial position.

The incident resulted in the unauthorized access and exfiltration of information from approximately 6.5 million individuals. The data included information such as email and mailing addresses, phone numbers, dates of birth, social security numbers and other identification numbers, usernames, passwords, bank and customer account numbers, insurance numbers, salaries, and personal medical information.

“However, not all of the information of these individuals was accessed and exfiltrated. McCamish also identified enterprise customers whose business data was subject to unauthorized access and exfiltration. We will notify our affected customers and intend to work with them to assist them with their respective reporting obligations as appropriate,” Infosys said in a BSE/NSE filing in April.

In an SEC filing in January this year, Infosys said it had initiated its response to the incident and engaged cybersecurity and other specialists to assist in the investigation, incident response, remediation, and recovery of the affected applications and systems. “By December 31, 2023, McCamish, with the assistance of third-party specialists, has remediated and recovered the affected applications and systems,” the statement said.

The company reported a loss of Rs 250 crore in contractual revenue and costs for remediation, restoration and communication measures.

McCamish added that an external cybersecurity firm analyzed the situation and said certain data, including customer data, had been exfiltrated by unauthorized third parties.

Previously, three such class action lawsuits were filed in the same court – in March, May and June. After the first lawsuit was filed, McCamish filed a motion to dismiss in May. After the second lawsuit was filed, plaintiffs in the two class action lawsuits filed a motion to consolidate the two cases.

Infosys sent an email seeking comments on the CEO’s statements during the first quarter of fiscal 2025 results. “McCamish is currently coordinating with its customers to ensure that all notifications are provided. In addition, we have notified the US state attorneys general and insurance commissioners,” Salil Parekh, CEO and managing director of Infosys, had said.

This is your last free item.