Infosys McCamish Reveals LockBit Cyberattack Compromised Data of 6 Million Individuals: A Shocking Breach

Remember the LockBit ransomware attack that hit Infosys McCamish Systems (IMS) earlier this year? Well, it turns out the impact was much bigger than initially thought. IMS has now disclosed that sensitive information of more than six million individuals was impacted during the attack.

Who is IMS and why does this matter?

IMS is a multinational corporation that specializes in providing business consulting, information technology, and outsourcing services. They primarily cater to firms in the insurance and financial services industries. You might be familiar with some of their clients, such as Bank of America and seven out of the top ten insurers in the U.S.

Back in February 2024, IMS let the public know about a ransomware attack that occurred in November 2023. The attack resulted in the compromise of personal data for about 57,000 Bank of America customers. LockBit, the group responsible for the attack, claimed to have encrypted 2,000 computers on the IMS network.

The scope of the attack is now much larger

In a notification shared with authorities in the U.S., IMS has revealed that the total number of people affected by the November 2023 ransomware attack is just over 6 million. This was discovered after IMS conducted a thorough review with the help of third-party eDiscovery experts.

IMS has notified impacted organizations about the incident and the compromise of any personal information pertaining to them. The compromised data varies from one individual to another, but it includes sensitive information such as:

• Social Security Number (SSN)
• Date of birth
• Medical treatment/record information
• Biometric data
• Email address and password
• Username and password
• Driver’s License number or state ID number
• Financial account information
• Payment card information
• Passport number
• Tribal ID number
• U.S. military ID number

What’s being done to help?

To help mitigate the risk from this exposure, IMS is offering affected individuals access to a free-of-charge, two-year identity protection and credit monitoring service through Kroll. This service comes with instructions on how to access it in the notification letters sent to affected individuals.

As of now, IMS hasn’t disclosed which of its clients were impacted, except for Oceanview Life and Annuity Company (OLAC), an Arizona-based provider of fixed and fixed-indexed annuities. The list of impacted data owners may be updated on a rolling basis as more customers request to be named in the filing.

What can you do to stay informed and protected?

Incidents like this highlight the importance of staying vigilant about cybersecurity and the potential consequences of data breaches. We encourage you to keep coming back to us for the latest updates and tips on how to protect yourself and your data in an ever-changing digital landscape.