The Infosys McCamish data breach, stemming from a LockBit ransomware attack earlier this year, has exposed the personal information of over 6 million individuals. Infosys McCamish Systems (IMS), a multinational corporation specializing in business consulting and IT services for insurance and financial institutions, disclosed the wider impact of the incident in a recent notification to authorities.

Previously, in February 2024, IMS had acknowledged a ransomware attack in November 2023 that compromised the data of approximately 57,000 Bank of America customers. LockBit, the ransomware group responsible for the attack, initially claimed to have encrypted data on 2,000 IMS network computers.

The recent notification reveals a significantly larger scale to the data breach. IMS, with the assistance of cybersecurity experts, conducted a thorough investigation to determine the extent of unauthorized access and the types of personal information affected.

“Impacted organizations” were notified by IMS, along with details regarding the compromised personal data. The nature of the exposed information varies but can include Social Security numbers, dates of birth, medical records, biometric data, login credentials (email addresses and passwords, usernames and passwords), driver’s license or state ID numbers, financial account information, payment card details, passport numbers, tribal ID numbers, and even U.S. military ID numbers.

To help mitigate the potential risks of identity theft and financial fraud, IMS is offering those affected free access to a two-year identity protection and credit monitoring service through Kroll. The notification letters contain instructions on how to enroll in this program.

While specific details about other impacted clients haven’t been disclosed yet, Oceanview Life and Annuity Company (OLAC) is one confirmed example. OLAC is an Arizona-based provider of fixed and fixed-indexed annuities. The notification mentions that the list of affected entities might be updated on an ongoing basis as more clients request inclusion.