LockBit ransomware attack stole data on millions of Infosys McCamish users

Ransomware
(Image credit: Pixabay)

When LockBit ransomware affiliates struck Infosys McCamish Systems (IMS) in late 2023, they did not steal sensitive information on some 57,000 people, as was initially thought. 

Instead, the threat actors stole valuable intel on more than six million people, a new report the IMS shared with the US authorities has said.

“With the assistance of third-party eDiscovery experts, retained through outside counsel, IMS proceeded to conduct a thorough and time-intensive review of the data at issue to identify the personal information subject to unauthorized access and acquisition and determine to whom the personal information relates,” the company said in its notification. “IMS has notified its impacted organizations of the Incident and of the compromise of any personal information pertaining to them.”

Identity theft galore

The type of information stolen from people varies from one individual to the next, but in general, the threat actors stole people’s Social Security Numbers (SSN), birth dates, medical information, biometric data, email addresses, passwords, Driver’s License numbers, state ID numbers, financial account information, payment card information, passport numbers, Tribal ID numbers, and US military ID numbers. 

More than enough information to mount devastating phishing or credential theft attacks, especially on those without identity theft protection.

To combat the threat, IMS provided affected individuals with free identity protection and credit monitoring services through Kroll, for a period of two years. 

Back in November 2023, Bank of America filed a data breach report with the Office of the Maine Attorney General, in which it said that the incident originated from an Infosys subsidiary. The report, filed on behalf of the Bank of America by an outside attorney, stated that Infosys McCamish Systems (IMS), a part of the Indian tech services giant, is an outside counsel for Bank of America.

The total number of people who were affected by the incident, which happened on October 29 2023 and discovered a day later, was said to be roughly 57,000, with the hackers stealing names (or other personal identifiers) and Social Security Numbers (SSN). The incident was described as “external system breach (hacking)”. 

IMS did not say which companies were affected by this incident, other than Oceanview Life and Annuity Company.

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.