India’s IT bellwether Infosys announced that a US court approved a settlement of class action lawsuits involving its subsidiary Infosys McCamish Systems LLC.
In a stock exchange filing on Saturday, the IT major said a US court had granted final approval to a settlement that covers all pending class actions against McCamish and related entities, without any admission of liability.
The cases relate to class action lawsuits filed in the United States against McCamish, which provides technology and outsourcing services to insurance and financial firms.
Infosys had first disclosed these cases to investors in a company statement on November 3 2023, and has been providing periodic updates in its financial statements. On March 13, 2025, McCamish and the plaintiffs took part in a mediation process that resulted in an “agreement in principle” setting out proposed settlement terms.
Under that agreement, McCamish has agreed to pay $17.5 million into a settlement fund to resolve the lawsuits. The fund is intended to settle claims not just against McCamish but also against certain customers who had been named in related class actions.
Infosys said the court granted final approval to this settlement on December 18, 2025. If no appeal is filed within 30 days of that order, the settlement will become effective, and all allegations in the class action suits will be fully resolved, again with no admission of wrongdoing by McCamish.
Cybersecurity analysts reportedly stated that the settlement stemmed from a ransomware attack on Infosys McCamish’s systems between late October and early November 2023, which led to the unauthorised access and exfiltration of sensitive data belonging to millions of US insurance and retirement-plan customers.
Regulatory and court filings in the US indicated that personal information such as names, addresses, dates of birth, Social Security numbers, policy and account details, and in some cases medical and salary data, may have been exposed for an estimated 6–6.5 million individuals across multiple financial institutions that used McCamish as a technology vendor.
In the class action suit, plaintiffs accused McCamish not only of inadequate security but also of delays and gaps in breach notification, with at least one US state regulator subsequently penalising the company for shortcomings in its response.