InfoSys McCamish Systems failure to implement standard industry regulated security practices allowed hackers to easily steal identities.

A class action lawsuit was recently filed following an announcement by InfoSys McCamish (IMS), a U.S, subsidiary of the Indian based global technology giant Infosys, that it’s network was targeted in a ransomware attack back in November 2023 and that the identities of 6,078,263 million people were negatively impacted by the data breach.

Based in Alatanta, Georgia, IMS provides software solutions and outsourcing services to major insurance companies and financial institutions.

What Happened?

According to a notice filed with the Attorney General of Maine, on November 2, 2023, IMS became aware that certain IMS systems were encrypted by ransomware. That same day, IMS notified law enforcement and launched an investigation with the assistance of third-party cybersecurity experts, retained through outside counsel, to undertake a full forensic analysis and determine the nature and extent of the compromise, secure its systems, and identify what information may have been affected and to whom it relates.

On November 4th, the ransomware gang LockBit claimed responsibility for the attack, alleging it had exfiltrated 50 GB of data and encrypted 2,000 computers. IMS offered to pay $50,000 for the decryption key and to dissuade the ransomware gang from publishing the stolen data on the dark web. LockBit rejected the offer and threatened to auction the stolen data for $500,000.

In February 2024, IMS acknowledged that a ransomware attack was responsible fore the service disruptions that affected certain information systems on November 2, 2023.

The investigation concluded that the data breach took place between October 29, 2023 and November 2. 2023. By May 24, 2024, the identities of those persons impacted by the breach was concluded and beiginning on June 27, 2024, the company began mailing out notices to affected individuals.

While several companies confirmed that the IMS data breach impacted their customers, the tech giant only mentioned the Arizona-based fixed annuity solutions provider Oceranview Life and Annuity Company (OLAC). Other known victims of the LockBit ransware data breach include Bank of America (BofA), Fidelity Investments Life Insurance (FILI), Newport Group, and Union Labor Life Insurance.

What Information Was Stolen During the Breach?

According to industry cybersecurity experts, the extent of information stolen as a result of the breach is severe. “This is an example of customers becoming passive victims in a process where they cannot take any action beyond hoping the breach isn’t so bad,” lamented Evan Dornbush, form NSA cybersecurity expert. “While some of the compromised data can be easily replaced – such as credit card numbers, license and passport identifiers are less easily renewed, and the loss of medical treatment and biometric data is irrevocably damaging to one’s privacy.”

According to the lawsuit, The personally identifiable information and protected health information involved in the breach includes –

• full names,
• Social Security numbers,
• dates of birth,
• email address and passwords,
• driver’s license numbers or state ID numbers,
• medical information,
• tribal ID numbers,
• U.S. military ID numbers,
• passport numbers
• payment cards information,
• biometric data
• medical treatment information, and
• financial account information.

What is IMS Doing to Protect My Identity?

In its Notice Letter to affected individuals, IMS is offering 24 months of complimentary credit monitoring and identity theft services. The company also advised impacted individuals to remain vigilant by reviewing their financial account statements and credit reports for suspicious activity.

Omitted from the Notice Letter was the identity of the cybercriminals who perpetrated the data breach, the details of the root cause of the data breach, and vulnerabilities exploited, and the remdical measures undertaken to ensue such a breach does not occur again.

What Can Hackers Do With My Information?

Stolen PII and PHI can be used to commit identity theft, open new credit accounts, make unauthorized purchases or obtain loans. Cyber-criminals have recently targeted America’s essential industries and in so doing have forced millions of Americans to face the fallout from these attacks.

Leaked or stolen data can be sold on the dark web forums and may be used for fraud and medical identity theft, a type of fraud, where threat actors use stolen information to submit forged claims to insurers.

Clients affected by the breach are exposed to a heightened and imminent risk of fraud and identity theft. They must now and in the future closely monitor their financial accounts to guard against identity theft and fraud.

If you receive a data breach notification from IMS, it is essential you understand what is at risk and what you can do about it. A data breach lawyer can help you learn more about how to protect yourself from becoming a victim of fraud or identity theft, as well as discuss your legal options at no cost to you. For more information, please review these recommendations.

Protect Your Identity. Join the IMS Data Breach Class Action.

The lawsuit alleges that IMS breached its duties under common law and the Federal Trade Commission Act to implement reasonable security measures, comply with industry standards and federal data-security regulations, encrypt sensitive data, and provide adequate and timely notice of the breach.

If you receive a notification letter from IMS or any of the client Companies affected by the breach, you are at permanent risk of identity theft and the devastating financial and legal consequences that go along with it.

You may be eligible to participate in a class action lawsuit to recover compensation for loss of privacy, time spent dealing with the breach, out-of-pocket costs, and more.

The lawsuit looks to cover anyone in the USA whose private information was compromised by the breach announced by InfoSys McCamish Systems.

Please complete the below form shown on this page and a data breach attorney will contact you. There is no cost to you.

Tags: cyber attack   data breach   Data Privacy   Identity Theft   personal health information   Personal Identifying Information   ransomware