Pierluigi Paganini June 29, 2024

Infosys McCamish Systems (IMS) revealed that the 2023 data breach following the LockBit ransomware attack impacted 6 million individuals.

IMS specializes in providing business process outsourcing (BPO) and information technology (IT) services specifically tailored for the insurance and financial services industries.

Infosys McCamish Systems (IMS) disclosed the security breach on November 3, 2023, in a filing with SEC, the company reported it was the victim of a cyberattack that resulted in the non-availability of certain applications and systems.

McCamish immediately launched an investigation into the incident and worked on the remediation with the help of cybersecurity consultants.

At the time, the company did not reveal the type of attack it suffered, however, on November 4, the LockBit ransomware gang claimed responsibility for the attack.

The company restored the impacted systems by December 31, it also estimated the losses caused by the incident will be at least $30 million.

“On the basis of analysis conducted by the cybersecurity firm, McCamish believes that certain data was exfiltrated by unauthorized third parties during the incident and this exfiltrated data included certain customer data. McCamish has engaged a third-party e- discovery vendor in assessing the extent and nature of such data. This review process is ongoing. McCamish may incur additional costs including indemnities or damages/claims, which are indeterminable at this time.” reads the statement sent to the SEC. “Infosys had previously communicated the occurence of this cybersecurity incident to BSE Limited, National Stock Exchange of India Limited, New York Stock Exchange and to United States Securities and Exchange Commission on November 3, 2023.”

In February, Bank of America began notifying some customers following the IMS data breach. The bank sent notification letters to 57,000 customers, informing them that their personal information has been compromised

Now the company revealed that the 2023 data breach after the LockBit ransomware attack impacted 6 million individuals.

The investigation determined that threat actors gained access to the company systems between October 29, 2023, and November 2, 2023.

“The in-depth cyber forensic investigation determined that unauthorized activity occurred between October 29, 2023, and November 2, 2023.” reads the data breach notification sent by the company to the impacted individuals. “Through the investigation, it was also determined that data was subject to unauthorized access and acquisition. With the assistance of third-party eDiscovery experts, retained through outside counsel, IMS proceeded to conduct a thorough and time-intensive review of the data at issue to identify the personal information subject to unauthorized access and acquisition and determine to whom the personal information relates. IMS has notified its impacted organizations of the Incident and of the compromise of any personal information pertaining to them.”

“The sensitive personal data of 6,078,263 people has been compromised. Now, victims’ names, Social Security numbers, financial information, and medical information may be in the hands of criminals, putting victims at a greater risk of identity theft and other frauds.” reads a press release published by the company.

“On June 27, 2024, Infosys McCamish filed a notice with the Attorney General of Maine describing a data breach affecting consumers nationwide. In this notice, Infosys McCamish explains that customers of Oceanview Life & Annuity Company were among those affected. However, in previous filings, Infosys McCamish has indicated that customers of other companies were also affected, including Union Labor Life Insurance, Newport Group, Inc., and more.”

IMS determined that exposed data includes:

• Names,
• Social Security numbers,
• Medical information,
• Biometric data,
• Financial account information, and
• Passport numbers.

The company is not aware of any abuses of the exposed data, however, it offered twenty-four months of complimentary credit monitoring to current customers for individuals associated with those customers

“Although we are unaware of any instances since the Incident occurred in which the personal information has been fraudulently used, IMS is nevertheless offering impacted individuals complimentary credit monitoring for twenty-four (24) months and dedicated call center services as well as providing guidance on how to protect against identity theft and fraud, including advising individuals to report any suspected identity theft or fraud to their financial institutions.” concludes the notification. “IMS is also providing individuals with information on how to place a fraud alert and security freeze on one’s credit file, information on protecting against tax fraud, the contact details for the national credit reporting agencies, information on how to obtain a free credit report, a reminder to remain vigilant for fraud and identity theft by reviewing account statements and monitoring credit reports, and encouragement to contact the Federal Trade Commission, their Attorney General, and law enforcement to report attempted or actual identity theft and fraud.”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Infosys McCamish Systems)