LockBit ransomware group attacked Infosys McCamish Systems (IMS) between 29 October–2 November 2023, claiming to have encrypted 2,000+ corporate systems. IMS is a major BPO provider to US insurance companies. Data exfiltrated on 6+ million individuals whose insurers outsourced operations to IMS. Data included SSNs, dates of birth, medical records, biometric data, email/password combinations, driver’s licences, financial account info, payment card info, passport numbers, and military IDs — among the most extensive PII categories in any known breach. Estimated losses: $30+ million. $17.5 million class action settlement. Supply chain impact as insurance policyholders of IMS clients (including Bank of America’s insurance subsidiary) were affected without any direct relationship with Infosys.