When LockBit ransomware companies attacked Infosys McCamish Systems (IMS) in late 2023, they did not steal sensitive information of around 57,000 people, as initially thought.
Instead, cybercriminals stole valuable information about more than six million people, according to a new report shared by the IMS with US authorities.
“With the assistance of third-party eDiscovery experts hired by third-party consultants, IMS proceeded to conduct a thorough and time-consuming review of the data in question to identify the personal information subject to unauthorized access and acquisition and to determine to whom the personal information relates,” the company said in its notice. “IMS has notified affected organizations of the incident and the compromise of personal information relating to them.”
Identity theft abounds
The type of information stolen from people varies from individual to individual, but generally the threat actors stole people’s Social Security numbers (SSN), dates of birth, medical information, biometrics, email addresses, passwords, driver’s license numbers, state information. ID numbers, financial account information, payment card information, passport numbers, tribal ID numbers, and US military ID numbers.
More than enough information to launch devastating phishing or identity theft attacks.
To combat the threat, IMS has offered affected individuals free identity protection and credit monitoring services through Kroll for a period of two years.
In November 2023, Bank of America filed a data breach report with the Office of the Maine Attorney General, stating that the incident originated from an Infosys subsidiary. The report, filed on behalf of Bank of America by an outside attorney, stated that Infosys McCamish Systems (IMS), a unit of the Indian technology services giant, is an outside advisor to Bank of America.
The total number of people affected by the incident, which occurred on October 29, 2023 and was discovered a day later, is said to be around 57,000, with the hackers stealing names (or other personal identifying information) and Social Security Numbers (SSN). The incident was described as a “remote system intrusion (hacking)”.
IMS did not say which companies were affected by this incident, other than Oceanview Life and Annuity Company.
Through BleepingComputer