Infosys McCamish Systems (IMS), part of Infosys BPM, will pay $17.5 million to settle class-action lawsuits tied to a cybersecurity breach that occurred in 2023. The company announced the settlement in a recent stock exchange filing, noting it had reached an agreement with affected customers.
IMS services faced major disruptions following a cyberattack linked to the notorious LockBit ransomware gang, impacting the firm's applications and client systems. Bank of America (BofA), a key Infosys customer, traced a data breach compromising the personal information of 57,028 customers back to IMS.
Cybersecurity Incident and Agreed Settlement Terms
As per Infosys, the cybersecurity breach took place between October 29, 2023, and November 2, 2023. An extensive forensic investigation confirmed unauthorized access during this period. The incident resulted in ₹250 crore ($30 million) in financial losses, covering remediation, system recovery, and communication costs.
Following lengthy mediation efforts, Infosys and the plaintiffs agreed to a preliminary settlement on March 13, 2025. The proposed terms require IMS to allocate $17.5 million to a fund intended to compensate affected customers and settle remaining lawsuits.
The settlement remains pending final court approval and the plaintiffs' due diligence process. Infosys clarified that the agreement does not admit liability but is intended to end the legal proceedings and bring closure to the matter.
The 2023 cybersecurity breach severely impacted operations, with the LockBit ransomware group claiming responsibility. Experts had earlier highlighted the security risks associated with third-party providers like IMS, which oversee critical financial data.
