Infosys settles $17.5 million lawsuit over US cyberattack: ‘The proposed terms are subject to…’

Infosys has agreed to pay $17.5 million (around Rs 152 crore) to settle lawsuits related to a cyber data breach at its US subsidiary, Infosys McCamish Systems (McCamish). The security breach occurred in November 2023. It exposed about 6.5 million individuals’ data to unauthorized access and affected some McCamish customers. The lawsuits were filed in response to this incident.
In a regulatory filing dated March 13, 2025, Infosys said that McCamish and the plaintiffs reached an agreement in principle during mediation. The agreement includes a proposed settlement for class action lawsuits against McCamish and its customers.
The settlement, once finalized and approved by the court, will resolve all pending lawsuits without any admission of liability. The agreement is still subject to confirmation, due diligence by plaintiffs, and final court approval.
"On March 13, 2025, McCamish and the plaintiffs engaged in mediation, resulting in an agreement in principle, which sets forth the terms of a proposed settlement of class action lawsuits against McCamish, as well as class action lawsuits that have been filed against McCamish’s customers”, the filing reads.
"The proposed terms are subject to confirmation and due diligence by the plaintiffs, finalization of the terms of the settlement agreement, as well as preliminary and final court approval. Once approved, the settlement will resolve all allegations made in the class action lawsuits without admission of any liability," it further added.
In February 2024, ET reported that Bank of America identified McCamish as the source of a data leak linked to a ransomware attack affecting over 57,000 users. This incident led to several lawsuits against McCamish. Infosys had earlier said the breach impacted its revenues and costs, reducing its operating margin by 60 basis points.