Infosys, a major tech company, has been identified as the source of a data leak affecting the United States. The breach was disclosed in a filing on November 3, 2023, which stated that Infosys McCamish Systems LLC (IMS), its US subsidiary, had experienced a cyber security incident leading to the unavailability of certain applications and systems. A data breach notification filed in Maine this week described the event as an "External system breach (hacking)" and reported that the improperly accessed data included "Name or another personal identifier in combination with Social Security Number."

The outside attorney representing Bank of America notified IMS as the source of a data leak affecting 57,028 individuals. A letter sent to those affected by the incident revealed that IMS informed Bank of America on November 24 that data related to deferred compensation plans serviced by the bank may have been compromised. Bank of America's systems, however, were not compromised.

The situation becomes concerning as its unclear what personal information was accessed during the IMS incident. Potentially compromised information includes names, addresses, business email addresses, dates of birth, Social Security numbers, and other account details. This provides fraudsters with almost everything they need for identity fraud, given that the term "deferred compensation plan" refers to private pensions, retirement savings plans, and stock options awards. The term can also describe payouts under life insurance policies, which The Register notes as IMS bills itself as "the center of excellence for Infosys's Life Insurance software solutions and services offerings in the US."

The Register has requested an explanation from Infosys regarding the incident, but as of now, no response has been received. However, it's worth noting that on November 4, 2023, an allegation surfaced suggesting that the notorious LockBit ransomware-as-a-service gang was responsible for the IMS incident. Ransomware certainly aligns with the description of the incident.

Victims have been advised to change passwords, monitor their accounts for unauthorized activity, and have been offered the customary two years of free identity theft protection services from Experian.