“On July 8, 2024, another class action complaint arising out of the same incident was filed in the same court against McCamish. The complaint was purportedly filed on behalf of all individuals residing in the United States whose private information was accessed and/or acquired by an unauthorized party as a result of the incident,” Infosys said in the filing.
Mails seeking comment from Infosys were directed to response made during Q1 earnings where CEO Salil Parekh said “McCamish is in the process of coordinating with its clients to ensure all the notifications are provided. In addition, the U.S. State Attorney Generals and Insurance Commissioners have also been notified.”
This development comes a month after the court consolidated two previous class actions on June 4, 2024. McCamish, in coordination with its third-party eDiscovery vendor, has identified up to approximately 6.5 million individuals whose information was subject to unauthorized access and exfiltration.
In an earlier filing, the company had stated, “The information associated with each individual varies, but the data as a whole includes information such as email and mailing addresses, phone numbers, birth dates, social security numbers and other identification numbers, usernames, passwords, financial and customer account numbers, policy numbers, salaries and personal medical information.”
Discover the stories of your interest
After the cyber security breach, on March 6, 2024, a class action complaint was filed in the U.S. District Court for the Northern District of Georgia against McCamish. “The complaint was purportedly filed on behalf of all individuals within the United States whose personally identifiable information was exposed to unauthorized third parties as a result of the incident. On May 6, 2024, McCamish filed a motion to dismiss the complaint”, Infosys said in the filing.On May 15, 2024, another class action complaint arising out of the same incident was filed in the same court against McCamish.
On June 3, 2024, the plaintiffs in the two class actions filed a motion to consolidate the two cases. On June 4, 2024, the court consolidated the two class actions and closed the class action that was filed on May 15, 2024.
Plaintiff’s complaints
As per the court document seen by ET, the plaintiff complained that he was a participant in a deferred compensation plan serviced by Bank of America.
“As a result, Plaintiff was injured in the form of lost time dealing with the consequences of the Data Breach, which included and continues to include: time spent verifying the legitimacy and impact of the Data Breach; time spent exploring credit monitoring and identity theft insurance options; time spent self-monitoring their accounts with heightened scrutiny and time spent seeking legal counsel regarding their options for remedying and/or mitigating the effects of the Data Breach.”
The complaint added, “Plaintiff was also injured by the material risk to future harm they suffer based on defendant’s breach; this risk is imminent and substantial because plaintiff’s data has been exposed in the breach, the data involved, including Social Security numbers, is highly sensitive and presents a high risk of identity theft or fraud; and it is likely, given defendant’s clientele, that some of the class’s information that has been exposed has already been misused.”
“Indeed, about two months ago, an unknown and unauthorized actor made a series of fraudulent attempts on the plaintiff’s Bank of America VISA card for purchases of $1200-$1500 from Zales.com. Plaintiff was required to receive a new VISA card, and additionally had to reset several automatic billing cycles in response.”