Cybersecurity

Another class action suit against Infosys McCamish for 2023 cybersecurity incident

Another class action complaint was filed this month against McCamish Systems LLC, an Infosys BPO company, in the US District Court for the Northern District of Georgia. The company disclosed this information in a filing with the US Securities and Exchange Commission (SEC) on Wednesday night, weeks after it was originally filed.

McCamish had originally experienced the cybersecurity incident resulting in the non-availability of certain applications and systems in November 2023.

“On July 8, another class action complaint arising out of the same incident was filed in the same court against McCamish. The complaint was purportedly filed on behalf of all individuals residing in the US whose private information was accessed and/or acquired by an unauthorized party because of the incident. Apart from the foregoing actions, the Group is subject to legal proceedings and claims arising in the ordinary course of business,” said the company in an International Financial Reporting Standards (IFRS) report filed on July 18.

In the statement, the IT giant added that the group’s management does not expect such “ordinary” course legal actions to have a material and adverse effect on their operations or financial condition.

Information of approximately 6.5 million individuals was subject to unauthorized access and exfiltration in the incident. The data included information like email and mailing addresses, phone numbers, birth dates, social security numbers and other identification numbers, usernames, passwords, financial and customer account numbers, policy numbers, salaries, and personal medical information.

“However, not all of these individuals had all information accessed and exfiltrated. McCamish also identified corporate customers whose business data was subject to unauthorized access and exfiltration. We will be notifying our impacted customers and intend to work with them to support their respective reporting obligations, as appropriate,” said Infosys in a BSE/NSE filing in April.

In an SEC filing made in January this year, Infosys stated it had initiated its incident response and engaged cybersecurity and other specialists to assist in its investigation, response to the incident, remediation, and restoration of impacted applications and systems. “By December 31, 2023, McCamish, with external specialists’ assistance, remediated and restored the affected applications and systems,” read the statement.

The company reported a loss of ₹250 crore in contracted revenues and costs to address remediations, restoration, and communication efforts.

Adding that a third-party cybersecurity firm had analyzed the situation, McCamish said that certain data, including customer data, was exfiltrated by unauthorized third parties.

Earlier, three such class action complaints were filed in the same court – in March, May, and June. After the complaint was filed the first time, McCamish filed a motion to dismiss it in May. Following the timing of the second complaint, the plaintiffs in the two class actions filed a motion to consolidate the two cases.

Infosys directed a mail seeking comments to what the CEO had said during Q1 FY25 earnings. “McCamish is in the process of coordinating with its clients to ensure all the notifications are provided. In addition, we have notified U.S. State Attorney Generals and Insurance Commissioners,” Salil Parekh, CEO and MD, Infosys, had said.

This is your last free article.


Read More

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button