Infosys McCamish Systems agreed to pay $17.5 million to settle six class action lawsuits over a 2023 data breach that exposed sensitive retirement and insurance information on approximately 3.7 million individuals. The settlement, which received final court approval on December 18, 2025, represents one of the larger payouts for a data breach affecting retirement plan participants and insurance customers in recent years. If you received retirement or insurance services through Infosys McCamish between October 2023 and early 2024, you may be entitled to compensation, free credit monitoring, identity theft insurance, or direct cash payments. The settlement stems from a ransomware attack by the LockBit group that compromised Infosys McCamish’s systems between October 29 and November 2, 2023.
The breach remained undetected until November 2023, when forensic investigations uncovered that attackers had accessed extensive personal data. For context, this is comparable in scope to the 2017 Equifax breach in terms of the number of people affected, though Infosys McCamish’s incident was narrower in geographic reach—affecting primarily U.S. retirement plan holders and insurance customers rather than the general population. The settlement agreement was announced on March 14, 2025, after months of negotiation among the plaintiff’s attorneys, Infosys McCamish, and the insurers backing the company. The agreement provides multiple forms of relief including cash payments, two years of credit monitoring, and up to $1 million in identity theft insurance coverage, with the highest compensation reserved for those who can document actual losses from the breach.
Table of Contents
- What Was the Infosys McCamish Data Breach and How Did It Happen?
- What Sensitive Data Was Exposed in the Infosys McCamish Breach?
- Who Is Eligible for the Settlement and How to File a Claim?
- How Much Money Can You Receive and What Are the Benefits?
- What Are the Limitations and Warnings About This Settlement?
- How Did Infosys Respond and What Security Changes Followed?
- What Does This Settlement Mean for Data Security and Consumer Rights?
What Was the Infosys McCamish Data Breach and How Did It Happen?
Infosys McCamish Systems is a U.S. subsidiary of Infosys Limited, India’s second-largest IT services provider. The company specializes in providing software, services, and business process management solutions for life insurance and retirement plan administration. On October 29, 2023, the LockBit ransomware group launched a sophisticated cyberattack against Infosys McCamish’s systems, gaining unauthorized access to sensitive customer databases.
The attackers maintained access for several days, with the breach spanning from October 29 through November 2, 2023, before the company’s security team detected and contained the intrusion. The delay in discovery—the breach wasn’t identified until November 2023 after forensic investigation—is significant because it means affected individuals may have been exposed to identity theft risk for weeks without knowing their information was compromised. This discovery timeline is similar to other major breaches where attackers maintain access for extended periods before detection. LockBit, a notorious Russian-linked ransomware group responsible for hundreds of attacks globally, publicly claimed responsibility for the breach and initially threatened to sell the stolen data before negotiations resulted in the settlement.
What Sensitive Data Was Exposed in the Infosys McCamish Breach?
The scope of data exposed in this breach was extensive and included categories of information typically associated with the highest identity theft risk. Attackers accessed names, mailing addresses, phone numbers, and email addresses for millions of individuals. Beyond these basic identifiers, the breach exposed highly sensitive financial and personal information including Social Security numbers, driver’s license numbers, state identification numbers, birth dates, tribal IDs, military IDs, usernames, passwords, financial account numbers, customer account numbers, policy numbers, salary information, and personal medical information. This combination of data is particularly dangerous for identity theft because it includes both authentication credentials (usernames and passwords) and identifying information needed to open fraudulent accounts or access existing ones.
For retirement plan participants specifically, the breach exposed policy numbers and account details that could allow someone to impersonate them when claiming benefits. The exposure of medical information adds an additional layer of concern because health data is increasingly targeted by cybercriminals for insurance fraud and medical identity theft schemes. One important limitation of the settlement is that it doesn’t specify exactly how much of each type of data was accessed for each individual. The settlement covers all 3.7 million eligible individuals regardless of whether their Social Security number was compromised or only their email address, which affects how valuable the credit monitoring and identity theft insurance benefits are for different class members.
Who Is Eligible for the Settlement and How to File a Claim?
The Infosys McCamish settlement covers approximately 3.7 million individuals whose personal information was compromised in the October-November 2023 breach. You are likely eligible if you were a participant in a retirement plan administered by Infosys McCamish or held an insurance policy serviced by the company during the time of the breach. Eligibility includes both active participants (those currently receiving retirement benefits or maintaining active accounts) and former participants whose data remained in Infosys McCamish’s systems. The settlement notice should have been mailed to eligible individuals at their last known addresses on file. If you did not receive notice, check the settlement website or contact the claims administrator to verify your eligibility.
For those who did receive notice, filing a claim is typically straightforward and involves submitting a claim form by the deadline specified in the settlement notice. Many settlement claims can be filed online, by mail, or by phone, with no cost to claimants. The claim form requests information about any documented losses from identity theft or fraud related to the breach, which determines which benefit category you qualify for. One practical consideration is that the claims deadline is fixed, and claims filed after the deadline are generally not accepted. Unlike ongoing compensation programs, data breach settlements have finite windows for filing, usually 60 to 90 days from the settlement notice date. If you’re uncertain whether you’re eligible or have moved since the breach, it’s worth proactively checking the settlement administrator’s website rather than waiting—this ensures you don’t miss the filing deadline.
How Much Money Can You Receive and What Are the Benefits?
The settlement provides three main categories of compensation: documented loss reimbursement, identity protection services, and residual cash payments. If you can document that you suffered actual financial losses due to identity theft, fraud, or unauthorized account access resulting from the breach, you can recover up to $6,000 in documented losses. This requires submitting evidence of your losses along with your claim form, such as credit card statements showing fraudulent charges or documentation of time spent resolving identity theft. These claims are evaluated on an individual basis and can result in the highest payouts for those most seriously harmed. All eligible individuals automatically receive two years of free credit monitoring services with at least one of the three major credit bureaus (Equifax, Experian, or TransUnion), plus $1 million in identity theft insurance coverage.
The credit monitoring benefit is valuable for detecting unauthorized account opening or credit inquiries that might indicate fraudulent activity, particularly important given the Social Security number exposure in this breach. The identity theft insurance covers certain costs associated with resolving identity theft, such as legal fees, lost wages, and phone bills incurred while addressing fraudulent accounts. For those without documented losses, the settlement provides residual cash payments estimated at approximately $30 per person, though this figure can vary depending on how many valid claims are filed and how the settlement fund is allocated. The residual payments are capped at $599 per person and distributed pro rata—meaning if more people file claims than expected, individual payouts will be proportionally reduced. The combination of free credit monitoring and identity theft insurance has significant monetary value even if you receive only the minimum residual cash payment, making the settlement valuable for most class members even without documented losses.
What Are the Limitations and Warnings About This Settlement?
One significant limitation is the three-year window between the breach (October 2023) and final court approval (December 2025), which means many people may have moved or changed contact information by the time they received settlement notice. The settlement class was based on 3.7 million individuals, but this represents approximately 60 percent of the initially reported 6.08 million affected individuals announced in June 2024—meaning some people determined they were not eligible or could not be contacted. This creates a gap where some people who experienced the breach may not receive compensation simply because the company couldn’t locate them. Another limitation is that the $17.5 million settlement fund must cover all beneficiaries and all administrative costs, including the claims administrator’s fees, which typically consume 5 to 10 percent of settlement funds. Attorneys’ fees must also be approved by the court and paid from the settlement fund, usually ranging from 25 to 33 percent of the total.
This means that the actual amount available for class member compensation is typically 55 to 70 percent of the stated settlement amount, or roughly $9.6 to $12.3 million for the 3.7 million beneficiaries. On a per-person basis, this can mean relatively modest compensation compared to the sensitivity of the data exposed. A critical warning is that receiving settlement benefits does not prevent future fraud or guarantee complete protection from identity theft. The $1 million identity theft insurance provides coverage after an incident occurs, not prevention before it happens. If your Social Security number or financial account information was exposed, you remain at elevated risk for years—credit monitoring for two years means you’re only covered through late 2027, but sophisticated identity theft schemes sometimes unfold years after the breach. You should consider supplementary credit freezes or paid monitoring services beyond the settlement benefits if you have significant assets to protect.
How Did Infosys Respond and What Security Changes Followed?
Infosys McCamish’s public response to the breach was relatively limited, with most communication coming through legal filings and settlement announcements rather than detailed public disclosures about security improvements. The company did acknowledge the breach in its SEC filings and worked with forensic investigators to understand the scope and nature of the attack. The settlement itself, while substantial, came from insurance coverage rather than representing a fundamental shift in Infosys McCamish’s publicly stated security practices.
Industry observers have noted that many companies settle data breaches without making significant public commitments to security improvements, a limitation that critics argue fails to incentivize better security practices across the industry. Infosys as a parent company has emphasized its compliance with regulatory requirements and has maintained its security certifications and audit ratings throughout this incident. However, the fact that a subsidiary of one of India’s largest IT services companies—a sector that emphasizes technical expertise and security consulting—experienced a successful ransomware attack raises questions about the gap between a company’s external security claims and internal security implementation. The breach serves as a reminder that even technology and business process companies can be vulnerable to sophisticated attacks like LockBit ransomware, which has demonstrated the ability to penetrate well-resourced organizations.
What Does This Settlement Mean for Data Security and Consumer Rights?
The Infosys McCamish settlement reflects a broader pattern in how data breaches are handled in the United States: companies pay settlements that are substantial but still typically represent a fraction of the value of data exposed or the harm caused to victims. A $17.5 million settlement for 3.7 million people works out to roughly $4.73 per person in total compensation, suggesting that from an economic perspective, data breaches remain a manageable cost of doing business for large companies. This creates a limited incentive for aggressive security spending if the expected cost of a breach—calculated as probability times settlement amount—is lower than implementing top-tier security practices.
Looking forward, this settlement may influence how similar cases are valued and could serve as a benchmark for other retirement industry data breach litigation. The inclusion of identity theft insurance and credit monitoring as standard settlement components reflects evolving expectations about what constitutes adequate compensation for a breach. For individuals affected, the settlement demonstrates that litigation remains a viable path to some compensation, even years after a breach occurs, though the compensation rarely fully covers all actual and potential harms. The case also highlights the importance of checking whether you’re eligible for any pending settlements, as many people never receive notice or forget about claim deadlines despite the settlement’s significant size.
You Might Also Like
- T-Mobile $350 Million Data Breach Class Action Settlement
- T-Mobile $350 Million Customer Data Breach Class Action Settlement
- Marriott $52 Million Hotel Guest Data Breach Class Action Settlement
Open Settlements You Can Claim Now
Browse current class action settlements accepting claims — several require no proof of purchase: