Hands typing on laptop keyboard showing data breach from LockBit ransomware

Infosys McCamish Systems LockBit Ransomware Data Breach Impacted 6 Million People, Leaked Extensive PII

Infosys McCamish Systems (IMS) has disclosed that over 6 million people were impacted by the 2023 LockBit ransomware data breach.

Based in Atlanta, Georgia, IMS is a US subsidiary of the Indian technology juggernaut Infosys. It provides software solutions and outsourcing services to major insurance companies and financial institutions.

In February 2024, IMS said a ransomware attack was responsible for the disruptions that affected certain information systems on November 2, 2023.

On November 4, 2023, the LockBit ransomware gang claimed responsibility for the cyber attack, alleging that it exfiltrated 50 GB of data and encrypted 2,000 computers.

IMS offered to pay $50,000 for the decryption key and to dissuade the ransomware gang from publishing the stolen data on the dark web. However, LockBit rejected the offer and threatened to auction the stolen data for $500,000.

Infosys LockBit ransomware data breach leaked extensive personal information

IMS said it launched an investigation involving third-party cyber forensics experts to determine the scope of the incident and notified law enforcement.

“With the assistance of third-party eDiscovery experts, retained through outside counsel, IMS proceeded to conduct a thorough and time-intensive review of the data at issue to identify the personal information subject to unauthorized access and acquisition and determine to whom the personal information relates,” IMS said in a statement.

A new filing with the Office of the Maine Attorney General says the LockBit ransomware gang breached IMS between October 29, 2023, and November 2, 2023, and accessed the sensitive personal information of 6,078,263 people, which varies by individual.

IMS says the LockBit ransomware data breach leaked extensive personal details, including Social Security Numbers, dates of birth, medical records, biometric data, email address and password, username and passwords, Driver’s License numbers or state ID numbers, financial account information, payment card information, passport number, tribal ID numbers, and US military ID numbers.

Infosys believes the LockBit ransomware gang has not misused the stolen personal information for fraud. However, impacted victims face the persistent risk of identity theft and phishing attacks as long as their personal information is circulating on the dark web.

“This is an example of customers becoming passive victims in a process where they cannot take any action beyond hoping the breach isn’t so bad,” lamented Evan Dornbush, former NSA cybersecurity expert. “While some of the compromised data can be easily replaced – such as credit card numbers, license and passport identifiers are less easily renewed, and the loss of medical treatment and biometric data is irrevocably damaging to one’s privacy.”

To protect the victims from fraud, IMS is offering 24 months of complimentary credit monitoring and identity theft services through Kroll. The company also advised impacted individuals to remain vigilant by reviewing their financial account statements and credit reports for suspicious activity.

Several companies victim of third-party breach

While several companies confirmed that the IMS data breach impacted their customers, the tech giant only mentioned the Arizona-based fixed annuity solutions provider Oceanview Life and Annuity Company (OLAC). Other known victims of the LockBit ransomware data breach include Bank of America (BofA), Fidelity Investments Life Insurance (FILI), Newport Group, and Union Labor Life Insurance.

Meanwhile, IMS says it has notified all impacted organizations “of the compromise of any personal information pertaining to them.” The company will also directly contact all impacted individuals, “where IMS is considered the data owner.”

Other victims will likely receive data breach notifications from their respective companies. So far, 30,000 Fidelity Investments Life Insurance and 57,000 Bank of America customers have been notified.

Reputational damage, additional expenses due to extortion payments that could run into millions, loss of income, and expensive lawsuits and fines by regulatory authorities after a ransomware attack existentially threaten breached companies.

IMS faces two class action lawsuits in the US District Court for the Northern District of Georgia as a result of the 2023 data breach. The company also lost $30 million in revenues after the LockBit ransomware attack.