A federal court in the United States has officially granted final approval to a $17.5 million settlement involving Infosys McCamish Systems LLC, a subsidiary of the global technology giant Infosys. The court’s order, finalized on December 18, 2025, resolves a series of consolidated class action lawsuits stemming from a massive 2023 ransomware attack that compromised the personal and financial data of more than six million individuals.
The settlement provides a legal conclusion to allegations that the company failed to maintain adequate cybersecurity protocols, leading to one of the most significant third-party vendor breaches in recent years. By settling, Infosys McCamish avoids further litigation costs and the uncertainty of a trial, while notably maintaining its position of no admitted liability or wrongdoing.
$17.5 Million Infosys McCamish Settlement Approved
| Metric | Detail | Status |
| Settlement Amount | $17.5 Million USD | Final Court Approval Granted |
| Total Impacted | ~6.08 to 6.5 Million Individuals | Documented in Court Filings |
| Claim Deadline | December 1, 2025 | Expired |
| Max Individual Claim | Up to $6,000 | For Documented Losses |
| Approval Date | December 18, 2025 | 30-Day Appeal Period Commenced |
Anatomy of the Breach: The 2023 Ransomware Incident
The litigation centered on a cybersecurity event that occurred between October 29 and November 2, 2023. During this window, the LockBit ransomware group gained unauthorized access to the systems of Infosys McCamish, a firm that provides critical life insurance and retirement software services to some of the world’s largest financial institutions.
According to investigative reports, the attackers exfiltrated a vast cache of sensitive data before deploying ransomware to encrypt over 2,000 corporate systems. While the company worked with third-party cybersecurity experts to restore operations by the end of 2023, the scope of the exposure grew significantly as forensic reviews progressed. Initial reports estimated the impact at 57,000 individuals, but updated filings with the Office of the Maine Attorney General in 2024 revealed the true scale: approximately 6.08 million people were affected.
Eligibility and Impacted Institutions
The settlement class includes all persons residing in the United States whose personal information was compromised during the incident. Because Infosys McCamish acts as a backend service provider, many affected individuals were customers of other major financial entities rather than direct clients of Infosys.
Major organizations whose customer data was caught in the breach include:
- Bank of America
- Fidelity Investments Life Insurance Company
- T. Rowe Price
- New York Life Group Benefit Solutions
- Prudential Insurance Company of America
The compromised information was exceptionally sensitive, including Social Security numbers, dates of birth, financial account numbers, driver’s license data, passport numbers, and, in some cases, biometric data and medical treatment information.
Breakdown of Settlement Benefits
The $17.5 million fund is allocated to address various forms of harm suffered by class members. The court-approved distribution plan includes several tiers of compensation:
1. Documented Out-of-Pocket Losses
Class members who submitted valid claims by the December 1, 2025 deadline are eligible for reimbursement of up to $6,000. This covers “out-of-pocket” expenses such as fees for credit reports, professional help to resolve identity theft, and documented travel or communication costs related to mitigating the breach’s impact.
2. Time Spent Compensation
Recognizing that managing the fallout of a data breach is time-consuming, the settlement allows for compensation for hours spent on remediation tasks, such as monitoring accounts or freezing credit.
3. Credit Monitoring and Insurance
Claimants were eligible to enroll in two years of complimentary credit monitoring and identity restoration services provided by Kroll. This package typically includes $1 million in identity theft insurance.
4. Residual Cash Payments
After administrative costs, legal fees, and documented claims are paid, the remaining balance of the $17.5 million fund will be distributed as “Residual Cash Payments.” These are currently estimated at approximately $30 per person, though the final amount depends on the total number of valid claims processed.
Legal and Market Implications
The final approval of the $17.5 Million Infosys McCamish Settlement serves as a significant marker in the landscape of corporate data liability. For Infosys, the settlement allows the company to move forward without the shadow of ongoing litigation, which had previously caused volatility in its stock price and multiple trading halts on the New York Stock Exchange (NYSE).
For the broader industry, the case underscores the growing legal risk faced by third-party “Business Process Outsourcing” (BPO) firms. When a service provider like McCamish is breached, the liability often extends across its entire roster of corporate clients, making security at the vendor level a critical point of failure for the entire financial ecosystem.
2026 COLA Update: Why Higher Social Security and SSI Rates May Not Raise Your Take-Home Pay
FAQs About $17.5 Million Infosys McCamish Settlement
1. Can I still file a claim for the $17.5 million settlement?
No. The court-mandated deadline for filing a claim was December 1, 2025. If you did not submit a claim form electronically or postmark a physical copy by that date, you are no longer eligible for monetary benefits from this specific fund.
2. When will I receive my settlement check?
The court granted final approval on December 18, 2025. There is a standard 30-day period for potential appeals. If no appeals are filed, the settlement will become “effective” in late January 2026. Payments are typically processed and mailed out several weeks to a few months after the effective date.
3. What happens if I received a notice but didn’t file a claim?
If you did not file a claim and did not officially “opt-out” (exclude yourself) by the November 3, 2025 deadline, you are bound by the court’s order. This means you cannot sue Infosys McCamish or the affected financial institutions (like Bank of America or Fidelity) for this specific data breach in the future, even though you will not receive a payment.
4. Is the $17.5 million enough to cover all victims?
Because over 6 million people were affected, the $17.5 million fund results in a relatively small per-person payout (estimated around $30) for those who did not have documented identity theft. However, those with high documented losses are prioritized for the larger $6,000 reimbursement tier.
5. How do I know if I was part of the settlement class?
The settlement class primarily includes individuals who were sent an “individualized statutory notice” regarding the 2023 breach. If you were a customer of Bank of America, Fidelity, or T. Rowe Price during that window and received a letter about the Infosys McCamish breach, you were likely eligible.
