Infosys McCamish Systems, a subsidiary of Infosys BPM, has agreed to pay a $125,000 administrative penalty under a stipulation and consent order with the Vermont Department of Financial Regulation. The fine resolves claims related to IMS’s failure to provide timely and accurate information during a 2023 cybersecurity incident investigation, as well as delays in notifying affected data owners. IMS did not admit any wrongdoing and avoided a formal hearing by settling the matter.

This penalty follows a larger settlement earlier in March 2025, when IMS agreed to contribute $17.5 million to a class-action lawsuit fund tied to the same incident. That breach, which disrupted several systems and applications, is reported to have affected up to 6.5 million individuals, with sensitive data—including Social Security numbers and financial details—compromised during a ransomware attack understood to be linked to the LockBit group.

Infosys has stated that the $17.5 million settlement does not imply liability, and is aimed at concluding ongoing litigation without further legal escalation. The more recent $125,000 penalty targets procedural lapses during the cybersecurity probe rather than the breach itself.

The incident and penalties illustrate increasing regulatory scrutiny on cybersecurity governance, particularly in sectors handling sensitive financial data such as pension management, insurance, and life annuities—IMS’s core domain. Experts note that the combined financial hit and reputational impact likely surpasses $30 million, factoring in remediation efforts and legal expenses.

This evolving case underscores a broader trend: organizations face rising expectations not just for preventing breaches but also for rapid disclosure, transparent communication, and regulatory compliance post-incident. As global regulations tighten, ensuring procedural credibility is becoming as critical as the security posture itself.