Breach Notification , Fraud Management & Cybercrime , Ransomware
Insurance Software Vendor Notifies 6.1 Million of 2023 Hack
InfoSys McCamish Systems Earlier Alerted 57,000 Bank of America Clients of BreachInfosys McCamish Systems, an insurance software product and services vendor, is notifying nearly 6.1 million people of a 2023 ransomware incident that potentially comprised their sensitive data, including Social Security numbers, medical treatment, and financial and biometric information.
IMS told Maine's attorney general in a report Thursday that the hacking incident, discovered on Nov. 2, 2023, affected about 6.08 million individuals, including 11,866 Maine residents.
IMS, which is an Atlanta-based subsidiary of InfoSys BPM Limited, filed a notice with the U.S. Securities and Exchange Commission on Nov. 3, 2023, to report a cybersecurity incident involving "non-availability" of certain IMS systems and applications.
In a notice posted on its website, IMS said that on Nov. 2, 2023, the company learned that certain IMS systems were encrypted by ransomware.
"That same day, IMS began an investigation with the assistance of third-party cybersecurity experts, retained through outside counsel, to determine the nature and scope of the activity, assist with containment and ensure no ongoing unauthorized activity," the statement said.
IMS also said it promptly notified law enforcement. The company said the incident has since been contained and remediated. A cyber forensic investigation determined that unauthorized activity occurred between Oct. 29 and Nov. 2, 2023.
In February, IMS reported to Maine's attorney general that the incident affected client Bank of America and about 57,000 of deferred compensation plan customers (see: Hack at Software Services Firm Affects 57,000 BoA Customers).
Since then, IMS' ongoing investigation and "thorough and time-intensive review of the data at issue" identified the extent of personal information that was subject to unauthorized access and acquisition, according to the company's latest breach report to Maine regulators.
"IMS processes data on behalf of a number of organizations as part of providing corporate and business market operations for its customers," the breach notice says.
"IMS has notified those customers whose data was subject to unauthorized access and acquisition. Where IMS is considered the data owner, IMS is in the process of informing individuals whose personal information was subject to unauthorized access and acquisition."
The company's investigation determined that data compromised in the incident includes Social Security number, birthdate, medical treatment and record information, biometric data, email address and password, driver's license number or state ID number, financial account information, payment card information, passport number, tribal ID number, and U.S. military ID number.
IMS said it is unaware of any instances since the incident in which the affected personal information of individuals has been fraudulently used. Nonetheless, IMS is offering affected individuals 24 months of complimentary identity and credit monitoring.
The firm said it also has taken measures to reduce the likelihood of a similar event occurring in the future. "We continue to make additional improvements that strengthen our cybersecurity posture," IMS said in its breach notice.
Pending Litigation
IMS is already facing at least two proposed federal class action lawsuits, which in May were consolidated into one case filed in the U.S. District Court for the Northern District of Georgia, involving the hacking incident. Those lawsuits were filed in March and May by two plaintiffs who are Bank of America customers affected by the breach.
The complaint in the consolidated case alleges, among other claims, that IMS was negligent in failing to safeguard plaintiffs' and class members' sensitive personal identifiable information.
The lawsuit seeks financial damages as well as injunctive relief requiring IMS to improve its cyber practices and controls, including implementing and maintaining a comprehensive information security program.
An attorney representing IMS in its latest breach report to Maine's attorney general did not immediately respond to Information Security Media Group's request for additional information about the incident, including how many other clients - besides Bank of America - were affected by the hack.
Last week, IMS reported that its revenue declined for the first time in eight years, falling 4.3% to $442 million in the year ended December 31, 2023.
The company said the disruptive cyberattack cost $30 million to resolve, according to a report by Indian business news outlet LiveMint.