Tl;dr: Last week, we were targeted by a criminal extortion attempt. The attackers gained access to a legacy, third-party cloud file storage system.
Our live payment processing platform was not impacted. No merchant funds or card numbers were accessed.
We are donating the ransom amount to fund cybercrime research.
Last week, Checkout.com was contacted by a criminal group known as “ShinyHunters”, who claimed to have obtained data connected to Checkout.com and demanded a ransom.
Upon investigation, we determined that this data was obtained by gaining unauthorized access to a legacy third-party cloud file storage system, used in 2020 and prior years. We estimate that this would affect less than 25% of our current merchant base. The system was used for internal operational documents and merchant onboarding materials at that time.
This incident has not impacted our payment processing platform. The threat actors do not have, and never had, access to merchant funds or card numbers.
The episode occurred when threat actors gained access to this third party legacy system which was not decommissioned properly. This was our mistake, and we take full responsibility.
We are sorry. We regret that this incident has caused worry for our partners and people. We have begun the process to identify and contact those impacted and are working closely with law enforcement and the relevant regulators. We are fully committed to maintaining your trust.
We will not be extorted by criminals. We will not pay this ransom.
Instead, we are turning this attack into an investment in security for our entire industry. We will be donating the ransom amount to Carnegie Mellon University and the University of Oxford Cyber Security Center (OXCIS) to support their research in the fight against cybercrime.
Security, transparency and trust are the foundation of our industry. We will own our mistakes, protect our merchants, and invest in the fight against the criminal actors who threaten our digital economy.
We are here to assist our merchants in whatever way we can. As always, we are available through your regular Checkout point of contact for any further assistance or questions you may have.
Mariano Albera, Chief Technology Officer, Checkout.com
.png)
_conversion%20tactics.png)
%20(1).png)
