Infosys Limited is set to pay $17.5 million to settle multiple lawsuits tied to a data breach that swept through its US subsidiary, Infosys McCamish Systems (IMS), leaving millions of people exposed. The cyberattack, traced back to late 2023, triggered widespread fallout, hitting financial giants like Bank of America and Fidelity.
It all started when IMS quietly disclosed the breach in a filing with the Securities and Exchange Commission (SEC) in November 2023. At the time, the company admitted that attackers had disrupted key applications and systems but stopped short of revealing how deeply the attack had pierced its network.
By early 2024, however, the true scope of the breach began unfolding — and it was far worse than initially hinted. Major financial institutions came forward, one after another, alerting customers that their personal data had been compromised. Fidelity Investments Life Insurance Company (FILI) reached out to nearly 30,000 people. Bank of America followed, confirming that at least 57,000 customers were affected. American Express, too, disclosed that customer credit card data had been exposed — though their own internal systems weren’t breached.
Investigators later confirmed that the cyberattack took place over just five days, between October 29 and November 2, 2023. Yet, in that brief window, hackers managed to siphon off highly sensitive information stored on IMS servers. The stolen data included full names, Social Security numbers, states of residence, banking details like account and routing numbers, and even dates of birth — every piece of information a cybercriminal would need for fraud or identity theft.
By April 2024, IMS acknowledged the staggering impact — 6.5 million individuals had their data compromised. The company claimed it had restored systems and completed major remediation work by the end of 2023. But for victims, the damage was already done.
Soon after, a wave of class action lawsuits was filed across the US on behalf of those whose personal information was leaked. The legal complaints pointed squarely at IMS’s failure to safeguard the vast amount of sensitive data entrusted to it.
Rather than fight it out in court, the lawsuits were consolidated as both sides agreed to mediation. By November 2024, a consolidated complaint was formally filed, setting the stage for settlement talks.
Infosys has now confirmed that under the proposed deal, IMS will create a $17.5 million settlement fund. This money is intended to compensate affected individuals and cover legal expenses — all without IMS admitting any wrongdoing.
“The proposed settlement terms are still subject to court approval and further review,” Infosys stated in its update. “Once finalized, this agreement will resolve all claims linked to the breach.”
While the legal settlement may close this chapter, the breach has reignited urgent conversations about third-party security risks — especially for companies handling personal and financial data. Many downstream victims of the IMS breach were customers of trusted financial brands, blindsided by the fact that a vendor’s failure had exposed their private information.
The case serves as a cautionary tale for enterprises: relying on third parties to manage sensitive data demands rigorous oversight, continuous risk assessments, and stronger cybersecurity measures. Without these safeguards, millions of people — and the companies serving them — remain exposed.
