Wells Fargo named in cyberattack on Infosys subsidiary McCamish, which affected 6 million

From March 6, 2024 through July 25, 2024, six complaints were filed in a US District Court against McCamish.

Wells Fargo, one of the big four American banks, was named by McCamish Systems, a US subsidiary of the Indian IT major Infosys, in last year's cyberattack that impacted 60 lakh individuals.

McCamish Systems disclosed to the Attorney General of Maine, US, that in addition to Wells Fargo, two US-based companies—Continental Casualty Company and KN&A, Inc (doing business as The Nolan Financial Group)—were also impacted by the cyberattack. These firms specifically requested to be named in the filing.

In November 2023, it was revealed that a ransomware attack took place on October 29, 2023, and was discovered by the company the next day. Infosys McCamish Systems is a subsidiary of Infosys BPM Limited which, in turn, is a wholly owned wing of Infosys.

"Data protection and cybersecurity are of utmost importance to us," Infosys said in a regulatory filing on November 3, 2023. In February this year, Bank of America named Infosys McCamish Systems as the source of the data breach that affected 57,028 of its customers.

In addition to Wells Fargo, Continental Casualty Company, and KN&A, McCamish has revealed that the cyberattack impacted many other clients. These include New York Life Group Benefit Solutions, T Rowe Price Retirement Plan Services, Principal Life Insurance Company, Prudential Insurance Company of America, and Oceanview Life and Annuity Company.

From March 6 through July 25, 2024, six complaints were filed in the US District Court for the Northern District of Georgia against McCamish arising out of the cybersecurity incident.

Five of the complaints were purportedly filed on behalf of individuals whose personally identifiable information was exposed to unauthorised third parties as a result of the incident. The sixth complaint was filed by an individual proceeding on their behalf.

“As of August 7, 2024, all six actions have been consolidated into the first-filed action,” Infosys said on October 17. A first-filed action is filed in a civil procedure when two parties bring the same issue to multiple courts.

Infosys believes that the legal actions it faces will not significantly harm the company’s financial results or overall health once they are resolved.

On November 2, 2023, the Infosys subsidiary became aware that some of its systems were encrypted by ransomware. The company immediately launched an investigation with the assistance of leading third-party cybersecurity experts to undertake a full forensic analysis. McCamish maintains that the incident has since been contained and remediated.

McCamish notified the impacted organisations of the incident and of the compromise of any personal information pertaining to them. The leaked information may include social security numbers, dates of birth, biometric data, email addresses, usernames and passwords, driver's licence numbers and passport numbers.

Further, McCamish offered 24 months of complimentary credit monitoring and dedicated call-centre services. Additionally, it provides individuals with information on how to place a fraud alert and security freeze on one’s credit file, information on protecting against tax fraud, etc.