Infosys Breach From 2023 Exposed Personal Data of 6 Million People

Infosys McCamish Systems LLC suffered an external system breach last year, described as hacking, that impacted T. Rowe Price Retirement Plan Services and several other vendor clients, according to a notification filed with the Office of the Maine Attorney General on Monday, amending a June 27 filing.

According to the latest filing, 6,078,263 people were impacted by the breach, which exposed personal information such as Social Security numbers, dates of birth, email addresses, usernames and passwords, driver’s license and passport numbers, biometric data and financial account information. More than 11,000 Maine residents were impacted, according to the filing.

Infosys is a third-party vendor to T. Rowe Price, supporting its corporate and business operations. It also serves as an insurance service provider.

PLANADVISER/PLANSPONSOR had reported on the breach in November for T. Rowe Price and some other providers, and then reported that systems had come back online in December.

In addition to T. Rowe Price, the breach notification noted impact to New York Life Group Benefit Solutions, according to Monday’s filing, and Oceanview Life and Annuity Co., according to another June 27 filing. Those firms have not immediately responded to request for comment. Principal Life Insurance Co., Vanguard and Prudential Insurance Co. of America had also previously been reported as being hit by the breach those companies have not immediately responded to requests for comment.

According to the Monday filing, Infosys became aware that its systems were encrypted by ransomware on November 2, 2023. That same day, it began an investigation with the assistance of third-party cybersecurity experts, retained through outside counsel, to determine the nature and scope of the activity. Infosys notified law enforcement and stated that the incident has since been “contained and remediated.”

The investigation determined that unauthorized activity occurred between October 29, 2023, and November 2, 2023, and that data was subject to unauthorized access and acquisition.

In the notification to affected participants, Infosys stated it was providing 24 months of complimentary monitoring services through risk advisory firm Kroll. Infosys also noted that it was unaware of any instances since the incident occurred in which personal information was fraudulently used.