Infosys to Pay USD 17.5 million to Settle BPM Unit Data Breach Case

Infosys will pay $17.5 million to resolve a class-action lawsuit against one of its business process management (BPM) units stemming from a cybersecurity incident in 2023.

Some of Infosys McCamish Systems' data, a unit of Infosys BPM, was compromised between October and November 2023, resulting in the inability to use certain McCamish systems and applications.

McCamish, acquired by Infosys BPM in 2009, is a platform-based BPO firm that offers life insurance and retirement software solutions and service offerings in the United States.

"The proposed terms are subject to the plaintiffs' confirmation and due diligence, finalisation of the settlement agreement terms, and preliminary and final court approval. "Once approved, the settlement will resolve all allegations raised in the class-action lawsuits without admitting any liability," Infosys said in a statement.

The data breach affected approximately 57,000 Bank of America (BofA) customers, who are among the largest clients of India's second-largest IT services provider. Some of the data that was compromised included sensitive customer information such as names, addresses, social security numbers, and other account information related to BofA's deferred compensation plan.

Infosys stated last year that the breach resulted in a loss of contracted revenues and $38 million in costs for remediation, restoration, communication efforts, investigative processes and analysis, and legal services by March 31, 2024.