{"id":165015,"date":"2024-06-29T19:55:26","date_gmt":"2024-06-29T19:55:26","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=165015"},"modified":"2024-06-29T19:55:28","modified_gmt":"2024-06-29T19:55:28","slug":"infosys-mccamish-systems-data-breach-lockbit","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/165015\/data-breach\/infosys-mccamish-systems-data-breach-lockbit.html","title":{"rendered":"Infosys McCamish Systems data breach impacted over 6 million people"},"content":{"rendered":"
<\/div>\n

Infosys McCamish Systems (IMS) revealed that the 2023 data breach following the LockBit ransomware attack impacted 6 million individuals.<\/h2>\n\n\n\n

IMS specializes in providing business process outsourcing (BPO) and information technology (IT) services specifically tailored for the insurance and financial services industries.<\/gwmw><\/p>\n\n\n\n

Infosys McCamish Systems (IMS) <\/gwmw>disclosed the security breach on November 3, 2023, in a\u00a0filing<\/strong><\/a>\u00a0with SEC, the company reported it was the victim of a cyberattack that resulted in the non-availability of certain applications and systems.<\/p>\n\n\n\n

McCamish immediately launched an investigation into the incident and worked on the remediation with the help of cybersecurity consultants.<\/p>\n\n\n\n

At the time, the company did not reveal the type of attack it suffered, however, on November 4, the\u00a0LockBit ransomware<\/a>\u00a0gang claimed responsibility for the attack.<\/gwmw><\/p>\n\n\n\n

The company restored the impacted systems by December 31, it also estimated the losses caused by the incident will be at least $30 million.<\/gwmw><\/p>\n\n\n\n

\u201cOn the basis of analysis conducted by the cybersecurity firm, McCamish believes that certain data was exfiltrated by unauthorized third parties during the incident and this exfiltrated data included certain customer data. McCamish has engaged a third-party e- discovery vendor in assessing the extent and nature of such data. This review process is ongoing. McCamish may incur additional costs including indemnities or damages\/claims, which are indeterminable at this time.\u201d reads the\u00a0statement<\/a>\u00a0sent to the SEC. \u201cInfosys had previously communicated the occurence of this cybersecurity incident to BSE Limited, National Stock Exchange of India Limited, New York Stock Exchange and to United States Securities and Exchange Commission on November 3, 2023.\u201d<\/em><\/gwmw><\/p>\n\n\n\n

In February, Bank of America began notifying<\/strong><\/a> some customers following the IMS data breach. The bank sent notification letters to 57,000 customers, informing them that their personal information has been compromised<\/gwmw><\/p>\n\n\n\n

Now the company revealed that the 2023 data breach after the LockBit ransomware<\/a> attack impacted 6 million individuals. <\/p>\n\n\n\n

The investigation determined that threat actors gained access to the company systems between October 29, 2023, and November 2, 2023.<\/gwmw><\/gwmw><\/gwmw><\/p>\n\n\n\n

“The in-depth cyber forensic investigation determined that unauthorized activity occurred between October 29, 2023, and November 2, 2023.” reads the data breach notification sent by the company to the impacted individuals. “Through the investigation, it was also determined that data was subject to unauthorized access and acquisition. With the assistance of third-party eDiscovery experts, retained through outside counsel, IMS proceeded to conduct a thorough and time-intensive review of the data at issue to identify the personal information subject to unauthorized access and acquisition and determine to whom the personal information relates. IMS has notified its impacted organizations of the Incident and of the compromise of any personal information pertaining to them.”<\/em><\/p>\n\n\n\n

The sensitive personal data of 6,078,263 people has been compromised<\/strong>. Now, victims’ names, Social Security numbers, financial information, and medical information may be in the hands of criminals, putting victims at a greater risk of identity theft and other frauds.” reads a press release<\/a> published by the company.<\/em><\/gwmw><\/p>\n\n\n\n

“On\u00a0June 27, 2024, Infosys McCamish filed a notice with the Attorney General of\u00a0Maine\u00a0describing a data breach affecting consumers nationwide. In this notice, Infosys McCamish explains that customers of Oceanview Life & Annuity Company were among those affected. However, in previous filings, Infosys McCamish has indicated that customers of other companies were also affected, including Union Labor Life Insurance, Newport Group, Inc., and more.”<\/em><\/p>\n\n\n\n

IMS determined that exposed data includes:<\/p>\n\n\n\n