The Infosys data breach in 2023 exposed the personal data of 6 million people

Infosys McCamish Systems LLC experienced what was described as an external system attack last year that impacted T. Rowe Price Retirement Plan Services and several other customers, according to a notice filed Monday with the Maine attorney general's office, supplementing a June 27 filing.

According to the latest report, 6,078,263 people were affected by the data theft. Personal data such as social security numbers, dates of birth, email addresses, usernames and passwords, driver's license and passport numbers, biometric data and bank account information were exposed. More than 11,000 residents of the state of Maine were affected, the report says.

Infosys is a third-party service provider to T. Rowe Price, supporting its corporate and business operations and serving as an insurance services provider.

PLANADVISER/PLANSPONSOR reported on the data theft at T. Rowe Price and some other providers in November and then announced in December that the systems were back online.

In addition to T. Rowe Price, New York Life Group Benefit Solutions, according to a report Monday, and Oceanview Life and Annuity Co., according to another report June 27, were also named in the data breach report. Those firms did not immediately respond to a request for comment. Principal Life Insurance Co., Vanguard and Prudential Insurance Co. of America were also previously affected by the data breach, but those companies did not immediately respond to a request for comment.

According to the filing on Monday, Infosys became aware on November 2, 2023, that its systems had been encrypted by ransomware. That same day, the company launched an investigation to determine the nature and extent of the activity with the help of third-party cybersecurity experts brought in through outside legal counsel. Infosys notified law enforcement and said the incident has since been “contained and remediated.”

The investigation found that unauthorized activities occurred between October 29, 2023, and November 2, 2023, and that data was exposed to unauthorized access and collection.

In the notification to affected participants, Infosys said it is providing free monitoring services through risk consulting firm Kroll for 24 months. Infosys also noted that it is not aware of any cases of personal information being used fraudulently since the incident.