Software services company Infosys has been hit by another lawsuit over a cyberattack on US subsidiary Infosys McCamish Systems (IMS) in November last year. Kelly Collins, the plaintiff, filed the case in May in the US District Court for the Northern District of Georgia, as per a court document seen by ET.

Infosys had disclosed the cybersecurity incident at IMS on November 3, 2023. On March 6, a class action complaint was filed against IMS by another individual, John McNally.

“On May 15, 2024, another class action complaint arising out of the same incident was filed in the same court against IMS. The complaint was purportedly filed on behalf of some or all individuals whose personally identifiable information was compromised in the incident,” Infosys said in a public disclosure on Tuesday.

Infosys had earlier said that the loss of contracted revenues and costs incurred with respect to remediation, restoration, communication efforts, investigative processes and analysis, legal services and other services and costs related to the McCamish cybersecurity incident had amounted to $38 million (around Rs 316 crore) as on March 31, 2024. “IMS may incur additional costs including indemnities or damages/claims, which are indeterminable at this time,” it had said.

IMS, in coordination with its third-party eDiscovery vendor, has identified up to about 6.5 million individuals whose information was subject to unauthorised access and exfiltration, according to Infosys. The complaint was purportedly filed on behalf of all individuals within the US whose personally identifiable information was exposed as a result of the incident, it said.

The breach of data relates to information such as email and mailing addresses, phone numbers, birth dates, social security numbers and other identification numbers, usernames, passwords, financial and customer account numbers, policy numbers, salaries and personal medical information.

On May 6, 2024, IMS filed a motion to dismiss the complaint. However, the court document stated that on May 16, “Electronic summons issued to Infosys McCamish Systems”.“Our cybersecurity insurance covers first-party losses that occur due to a cybersecurity incident wherein losses include cost of forensics, appointing a crisis consultant and data restoration. The insurance also provides for business interruption losses that we might have to incur as a result of a system shutdown due to a cyber-incident,” Infosys said.

However, the Bengaluru-based IT company said its insurance may not be adequate to cover all losses in connection with any cybersecurity breach or other incident.

The case relates to a data breach that took place around November 2 last year when certain systems of IMS, a subsidiary of Infosys BPM Ltd (a wholly owned subsidiary of Infosys Limited), were encrypted by ransomware resulting in the non-availability of certain applications. The cybersecurity event occurred after an unauthorized third party accessed IMS systems.

ET reported in February that Bank of America had named IMS as the source of a data leak owing to a ransomware attack suffered by over 57,000 of its users.

As per reports, in April this year, Global Atlantic Financial Group also filed a notice with the Attorney General of Montana after discovering about the data breach at Infosys IMS, one of its vendors.

Software services company Infosys has been hit by another lawsuit over a cyberattack on US subsidiary Infosys McCamish Systems (IMS) in November last year. Kelly Collins, the plaintiff, filed the case in May in the US District Court for the Northern District of Georgia, as per a court document seen by ET.

Infosys had disclosed the cybersecurity incident at IMS on November 3, 2023. On March 6, a class action complaint was filed against IMS by another individual, John McNally.

“On May 15, 2024, another class action complaint arising out of the same incident was filed in the same court against IMS. The complaint was purportedly filed on behalf of some or all individuals whose personally identifiable information was compromised in the incident,” Infosys said in a public disclosure on Tuesday.

Infosys had earlier said that the loss of contracted revenues and costs incurred with respect to remediation, restoration, communication efforts, investigative processes and analysis, legal services and other services and costs related to the McCamish cybersecurity incident had amounted to $38 million (around Rs 316 crore) as on March 31, 2024. “IMS may incur additional costs including indemnities or damages/claims, which are indeterminable at this time,” it had said.

IMS, in coordination with its third-party eDiscovery vendor, has identified up to about 6.5 million individuals whose information was subject to unauthorised access and exfiltration, according to Infosys. The complaint was purportedly filed on behalf of all individuals within the US whose personally identifiable information was exposed as a result of the incident, it said.

The breach of data relates to information such as email and mailing addresses, phone numbers, birth dates, social security numbers and other identification numbers, usernames, passwords, financial and customer account numbers, policy numbers, salaries and personal medical information.

On May 6, 2024, IMS filed a motion to dismiss the complaint. However, the court document stated that on May 16, “Electronic summons issued to Infosys McCamish Systems”.“Our cybersecurity insurance covers first-party losses that occur due to a cybersecurity incident wherein losses include cost of forensics, appointing a crisis consultant and data restoration. The insurance also provides for business interruption losses that we might have to incur as a result of a system shutdown due to a cyber-incident,” Infosys said.

However, the Bengaluru-based IT company said its insurance may not be adequate to cover all losses in connection with any cybersecurity breach or other incident.

The case relates to a data breach that took place around November 2 last year when certain systems of IMS, a subsidiary of Infosys BPM Ltd (a wholly owned subsidiary of Infosys Limited), were encrypted by ransomware resulting in the non-availability of certain applications. The cybersecurity event occurred after an unauthorized third party accessed IMS systems.

ET reported in February that Bank of America had named IMS as the source of a data leak owing to a ransomware attack suffered by over 57,000 of its users.

As per reports, in April this year, Global Atlantic Financial Group also filed a notice with the Attorney General of Montana after discovering about the data breach at Infosys IMS, one of its vendors.