November 2023 Infosys Hacking Breach Exposed Personal Information of 6 Million People

Infosys McCamish Systems LLC suffered an external system breach last year, described as hacking, that impacted T. Rowe Price Retirement Plan Services and several other Infosys clients, according to a notification filed with the Office of the Maine Attorney General on Monday, amending a June 27 filing.

According to the latest filing, 6,078,263 people were impacted by the breach, which exposed personal information such as Social Security numbers, dates of birth, email addresses, usernames and passwords, driver’s license and passport numbers, biometric data and financial account information. More than 11,000 Maine residents were impacted, according to the filing. Infosys is a third-party vendor to T. Rowe Price, supporting its corporate and business operations. It also serves as an insurance service provider.

PLANSPONSOR reported on the breach in November regarding T. Rowe Price and some other providers, and then reported that systems had come back online in December.

A T. Rowe Price spokesperson said the recordkeeping company reviewed the data, communicated with impacted nonqualified plan clients, and offered them the opportunity to opt in to mailings being made by IMS to impacted individuals. The mailings to these impacted individuals were made on August 23rd and T. Rowe Price’s name has been added by IMS to its regulatory filings in certain states as is customary.

“T. Rowe Price’s systems were not compromised by the incident at IMS and no data was exfiltrated from T. Rowe Price systems,” the spokesperson said.

In addition to T. Rowe Price, the breach notification noted impact to New York Life Group Benefit Solutions, according to Monday’s filing, and Oceanview Life and Annuity Co., according to another June 27 filing. Those firms have not immediately responded to request for comment. Principal Life Insurance Co., Vanguard and Prudential Insurance Co. of America had also previously been reported as being hit by the breach those companies have not immediately responded to requests for comment.

According to the Monday filing, Infosys became aware that its systems were encrypted by ransomware on November 2, 2023. That same day, it began an investigation with the assistance of third-party cybersecurity experts, retained through outside counsel, to determine the nature and scope of the activity. Infosys notified law enforcement and stated that the incident has since been “contained and remediated.”

The investigation determined that unauthorized activity occurred between October 29, 2023, and November 2, 2023, and that data was subject to unauthorized access and acquisition.

In the notification to affected participants, Infosys stated it was providing 24 months of complimentary monitoring services through risk advisory firm Kroll. Infosys also noted that it was unaware of any instances since the incident occurred in which personal information was fraudulently used.