Bank of America Data Breach Settlement: $17.5 Million for the 2023 Infosys McCamish Breach
A third-party vendor breach exposed data of 6.5 million people — the $17.5M settlement closed claims in December 2025 with payouts expected in 2026.
Last reviewed: April 2026
Editorially Reviewed — Content reviewed for accuracy using published legal research, government data, and verified court records. See our methodology
Reviewed by Leonard Goldberg, Editor · Last updated
What the Lawsuit Alleges
Between October 29 and November 2, 2023, LockBit ransomware operators attacked Infosys McCamish Systems (IMS), a third-party benefits-administration vendor used by Bank of America and other institutions, stealing sensitive personal data. IMS notified BofA on November 24, 2023, and BofA sent breach notices on February 6, 2024. About 6.5 million people were ultimately affected, with exposure of Social Security numbers, financial account details, and medical information. The class action (McNally v. Infosys McCamish Systems LLC) alleged IMS failed to maintain adequate security. Bank of America itself was not a defendant — the claims ran against the breached vendor.
Case Details
U.S. District Court, Northern District of Georgia — McNally v. Infosys McCamish Systems LLC, Case No. 1:24-cv-00995-JPB. Consolidated complaint Nov 2024; preliminary approval July 16, 2025; final approval December 18, 2025.
Current Status
Who Is Affected & Can You Join?
Individuals who received a breach notice confirming their information was compromised in the October–November 2023 Infosys McCamish incident — including BofA deferred-compensation plan participants and customers of other institutions that used IMS. Over 3.7 million received mailed notices. The December 1, 2025 deadline has passed.
Is There a Payout?
Case Timeline
- 1
LockBit Ransomware Attack (Oct–Nov 2023)
LockBit operators breached Infosys McCamish Systems, exfiltrating sensitive data of millions of customers of IMS's financial-institution clients, including Bank of America.
- 2
Notification & Scope Expansion (Nov 2023–Feb 2024)
IMS notified BofA on Nov 24, 2023; BofA sent breach notices on Feb 6, 2024. By April 2024, ~6.5 million individuals were determined to be affected.
- 3
Class Actions Consolidated (2024)
Multiple suits were consolidated in the Northern District of Georgia as McNally v. Infosys McCamish Systems LLC; a consolidated complaint was filed in November 2024.
- 4
Settlement Approval (Jul–Dec 2025)
The parties reached a $17.5M settlement; preliminary approval July 16, 2025 and final approval December 18, 2025. The claim deadline was December 1, 2025.
- 5
Distribution Phase (2026)
Absent appeals, payments to valid claimants are expected in spring/summer 2026; the residual cash payment is estimated around $30, with more for documented-loss claims.
Scam & Misinformation Warnings
Whenever a brand lawsuit goes viral, scam sites and bad actors follow. Watch for these red flags:
BofA Impersonation Emails
Scammers send emails appearing to be from Bank of America offering a 'data breach compensation payment' and linking to fake sites. BofA was not the defendant, the administrator is for McNally v. Infosys McCamish, and the deadline has passed.
Fake 'Credit Monitoring Activation' Phishing
Because credit monitoring was a settlement benefit, fraudsters send phishing emails to 'activate' it and harvest credentials. Legitimate activation comes from the administrator via the official settlement site.
Broader 'BofA Settlement' Confusion
Multiple unrelated Bank of America settlements exist (overdraft/junk fees). Always verify the specific settlement through official court dockets before sharing personal information.
Frequently Asked Questions
Was Bank of America hacked directly?
No. BofA's own systems were not breached. The attack targeted Infosys McCamish Systems (IMS), a third-party vendor that administered products for BofA and others. IMS's breach exposed data BofA had shared with it.
Can I still file a claim?
No. The claim deadline was December 1, 2025 and is permanently closed. If you didn't submit a valid claim by then, you're not eligible for monetary benefits.
How much will claimants receive?
The estimated pro-rata residual cash payment is about $30, depending on the number of valid claims. Documented-loss claimants can receive up to $6,000, and all timely claimants get two years of credit monitoring.
When will payments be distributed?
Final approval was December 18, 2025. Absent appeals, payments are expected in spring or summer 2026; appeals could extend the timeline.
What data was exposed?
Highly sensitive information including Social Security numbers, dates of birth, names, addresses, financial account numbers, and medical information — varying by which institution's data IMS was processing.
Is this only for Bank of America customers?
No. It covers everyone who received an Infosys McCamish breach notice for the 2023 incident, regardless of institution. IMS served multiple clients; ~6.5 million people were affected and over 3.7 million received mailed notices.
Did Infosys or Bank of America admit wrongdoing?
No. Infosys McCamish denied liability; Bank of America was not a defendant and made no admissions. The settlement was a negotiated resolution.
Separate from this case: were you injured in the last 2 years?
Class-action payouts are fixed amounts through an administrator. A personal injury claim is a different case — and often worth far more. Free estimate, no obligation.