Infosys has reached an agreement to pay $17.5 million to settle six class action lawsuits in the United States related to a cybersecurity breach involving its subsidiary, Infosys McCamish Systems. The lawsuits stemmed from a cyber incident that disrupted McCamish’s applications and systems in November 2023.
In a stock exchange filing, Infosys updated that the company had reached an agreement in principle with the plaintiffs involved in the lawsuits against Infosys McCamish Systems and some of McCamish’s customers. The filing clarified that this agreement would resolve all ongoing class action lawsuits and the allegations associated with the incident.
The mediation, which took place on March 13, 2025, led to a proposed settlement for the cases filed against McCamish, as well as those against its customers. According to the terms of the proposed settlement, McCamish has agreed to establish a fund amounting to $17.5 million to resolve these issues. However, the settlement remains subject to due diligence, finalization of the agreement, and approval by the court. If approved, the settlement will close the legal proceedings without any admission of liability from Infosys or McCamish.
Infosys had initially disclosed the cybersecurity issue in November 2023, revealing that it was collaborating with a cybersecurity products provider to address the incident. The company had also launched an independent investigation to assess the extent of the breach and its impact on affected systems.
Despite the settlement, Infosys reiterated that data protection and cybersecurity remain top priorities for the company. The company continues to focus on strengthening its systems to avoid future incidents and ensure better protection for its clients and operations.
While the settlement has been proposed, it is still subject to further legal processes, including both preliminary and final court approval. Once the court clears the settlement, it is expected to resolve all allegations without any acknowledgment of fault on the part of Infosys or its subsidiary. The resolution of these lawsuits is seen as a significant step for the company to move forward from the cyber incident and mitigate further legal and reputational risks.
