Infosys McCamish says LockBit stole data of 6 million people

Infosys McCamish Systems (IMS) disclosed that the LockBit ransomware attack it suffered earlier this year impacted sensitive information of more than six million individuals.

IMS is a multinational corporation that provides business consulting, information technology, and outsourcing services. It specializes in covering the needs of firms in the insurance and financial services industries.

The company has a significant presence in the U.S., serving large financial institutions such as the Bank of America and seven out of the top ten insurers in the country.

In February 2024, IMS informed the public that it had been hit by a ransomware in November 2023, which resulted in the compromise of the personal data of about 57,000 Bank of America customers.

At the time, LockBit claimed the attack and said that it had encrypted 2,000 computers on the IMS network.

In a new notification shared with the authorities in the U.S., IMS now says the total number of people affected by the November 2023 ransomware attack is a little over 6 million.

“With the assistance of third-party eDiscovery experts, retained through outside counsel, IMS proceeded to conduct a thorough and time-intensive review of the data at issue to identify the personal information subject to unauthorized access and acquisition and determine to whom the personal information relates,” reads the notification.

“IMS has notified its impacted organizations of the Incident and of the compromise of any personal information pertaining to them.”

The data confirmed as compromised varies from one individual to another but includes the following:

  • Social Security Number (SSN)
  • Date of birth
  • Medical treatment/record information
  • Biometric data
  • Email address and password
  • Username and password
  • Driver’s License number or state ID number
  • Financial account information
  • Payment card information
  • Passport number
  • Tribal ID number
  • U.S. military ID number

To mitigate the risk from the exposure, the notification letters enclose instructions on how to access a free-of-charge, two-year identity protection and credit monitoring service through Kroll.

IMS has not disclosed which of its clients were impacted, except for Oceanview Life and Annuity Company (OLAC), an Arizona-based fixed and fixed-indexed annuities provider that secures retirement income for policyholders.

IMS’ notice mentions that the list of impacted data owners, currently only listing OLAC, may be supplemented on a rolling basis as more customers request to be named in the filing.