Another class action lawsuit filed against Infosys McCamish over 2023 cybersecurity incident

Another class action lawsuit was filed this month against McCamish Systems LLC, an Infosys business process outsourcing company, in the U.S. District Court for the Northern District of Georgia. The company disclosed the information in a filing with the U.S. Securities and Exchange Commission (SEC) late Wednesday, several weeks after its initial filing.

McCamish initially experienced a cybersecurity incident that resulted in certain applications and systems being unavailable in November 2023.

“On July 8, another class action lawsuit arising from the same incident was filed in the same court against McCamish. The lawsuit is said to have been filed on behalf of all persons residing in the United States whose private information was accessed and/or acquired by an unauthorized party as a result of the incident. In addition to the above actions, the group is subject to legal proceedings and claims arising in the ordinary course of business,” the company said in an IFRS (International Financial Reporting Standards) report filed on July 18.

In the statement, the IT giant added that the group’s management does not expect such “ordinary” legal actions to have a material and negative effect on its operations or financial condition.

The information of approximately 6.5 million people was subject to unauthorized access and exfiltration in this incident. The data included information such as email and postal addresses, telephone numbers, dates of birth, Social Security and other identification numbers, usernames, passwords, financial and customer account numbers, policy numbers, salaries, and personal medical information.

“However, not all of these individuals had access to and exfiltrated all of the information. McCamish has also identified corporate clients whose business data was subject to unauthorized access and exfiltration. We will notify our affected clients and intend to work with them to help them comply with their respective reporting obligations, as appropriate,” Infosys said in a BSE/NSE filing in April.

In a filing with the SEC in January this year, Infosys said it had launched its incident response and engaged cybersecurity and other specialists to assist with its investigation, incident response, remediation and restoration of impacted applications and systems. “As of December 31, 2023, McCamish, with the assistance of external specialists, has remediated and restored the affected applications and systems,” the statement read.

The company reported a loss of ₹250 crore in contract revenue and costs to meet remediation, restoration and communication efforts.

Adding that a third-party cybersecurity firm had analyzed the situation, McCamish said some data, including customer data, had been exfiltrated by unauthorized third parties.

Previously, three such complaints had been filed in the same court, in March, May and June. After the first complaint was filed, McCamish filed a motion to dismiss it in May. After the second complaint was filed, the plaintiffs in both class actions filed a motion to join the two cases.

Infosys sent a letter seeking comment on what the CEO said when it released its Q1 FY25 results. “McCamish is coordinating with its clients to ensure that all notifications are provided. In addition, we have informed the US state attorneys general and insurance commissioners,” said Salil Parekh, CEO and MD, Infosys.