Infosys McCamish Systems, a US-based subsidiary of Infosys BPM, has agreed to a $17.5m settlement to resolve ongoing class action lawsuits stemming from a cybersecurity incident in 2023. The resolution follows mediation on 13 March 2025, involving both McCamish and the plaintiffs, which resulted in an agreement in principle. This was disclosed by Infosys in a stock exchange filing, detailing that the settlement will address lawsuits filed against McCamish Systems and its customers.

As a provider of life insurance and retirement software solutions for Infosys BPM, Infosys McCamish offers various insurance products, investment options, distribution models, and platform deployment choices. The agreement remains subject to due diligence, finalisation of terms, and preliminary and final court approvals. Once approved, it will resolve all allegations without any admission of liability.

Details of the cybersecurity incident

In November 2023, Infosys reported that McCamish Systems was impacted by a cybersecurity event that affected the availability of certain applications and systems. The Indian IT company highlighted its commitment to data protection and cybersecurity, stating that it is collaborating with a leading cybersecurity provider to address the issue promptly. An independent investigation was launched to identify potential impacts on systems and data.

By April last year, through coordination with a third-party eDiscovery vendor, McCamish Systems identified approximately 6.5 million individuals whose information was compromised during the cybersecurity incident in November 2023. The accessed data varies per individual but may include personal details such as email addresses, phone numbers, birth dates, social security numbers, usernames, passwords, financial account numbers, policy numbers, salaries, and medical information. However, not all individuals had all these pieces of information accessed and exfiltrated.

Additionally, McCamish Systems identified corporate customers whose business data experienced unauthorised access and exfiltration. The Infosys BPM subsidiary plans to notify affected customers and work with them regarding their respective reporting obligations as necessary.

Earlier this year, Tata Technologies, another major Indian technology firm, encountered a cybersecurity breach. Following a ransomware attack that compromised the company network, Tata Technologies had to temporarily suspend certain IT services. In a stock exchange filing, the company confirmed that the affected IT assets have been restored. Despite the disruption, client delivery services remained fully operational throughout the incident, ensuring no impact on customer operations.

In a similar development, French telecommunications provider Orange Group recently reported a cyberattack targeting its Romanian operations. According to reports, the incident involved a non-critical back-office application and did not affect customer services.

Read more: Orange Group investigates cyberattack as hacker releases compromised data