For more stories like this, sign up for the PLANADVISERdash daily newsletter.
Infosys Breach From 2023 Exposed Personal Data of 6 Million People
T. Rowe Price and New York Life were cited in a filing with the Maine Attorney General on previously reported breach at vendor.
Infosys McCamish Systems LLC suffered an external system breach last year, described as hacking, that impacted T. Rowe Price Retirement Plan Services and several other vendor clients, according to a notification filed with the Office of the Maine Attorney General on Monday, amending a June 27 filing.
According to the latest filing, 6,078,263 people were impacted by the breach, which exposed personal information such as Social Security numbers, dates of birth, email addresses, usernames and passwords, driver’s license and passport numbers, biometric data and financial account information. More than 11,000 Maine residents were impacted, according to the filing.
Infosys is a third-party vendor to T. Rowe Price, supporting its corporate and business operations. It also serves as an insurance service provider.
PLANADVISER/PLANSPONSOR had reported on the breach in November for T. Rowe Price and some other providers, and then reported that systems had come back online in December.
In addition to T. Rowe Price, the breach notification noted impact to New York Life Group Benefit Solutions, according to Monday’s filing, and Oceanview Life and Annuity Co., according to another June 27 filing. Those firms have not immediately responded to request for comment. Principal Life Insurance Co., Vanguard and Prudential Insurance Co. of America had also previously been reported as being hit by the breach those companies have not immediately responded to requests for comment.
According to the Monday filing, Infosys became aware that its systems were encrypted by ransomware on November 2, 2023. That same day, it began an investigation with the assistance of third-party cybersecurity experts, retained through outside counsel, to determine the nature and scope of the activity. Infosys notified law enforcement and stated that the incident has since been “contained and remediated.”
The investigation determined that unauthorized activity occurred between October 29, 2023, and November 2, 2023, and that data was subject to unauthorized access and acquisition.
In the notification to affected participants, Infosys stated it was providing 24 months of complimentary monitoring services through risk advisory firm Kroll. Infosys also noted that it was unaware of any instances since the incident occurred in which personal information was fraudulently used.
You Might Also Like:
UC Schools Report Fraudulent Activity in Fidelity Retirement Accounts
Fidelity Data Breach Exposed Info of 77,000 Clients
Quantifying Cybersecurity Risks
« Schroders Announces Richard Oldfield as Group Chief Executive