tl;dr: Last week, we were targeted by a criminal extortion attempt. The attackers gained access to a legacy, third-party cloud file storage system.
Our live payment processing platform was not affected. No merchant funds or card numbers were accessed.
We are donating the ransom money to fund cyber crime research.
Last week, Checkout.com was contacted by a criminal group known as “ShinyHunters”, who claimed to have obtained data associated with Checkout.com and demanded a ransom.
Upon investigation, we determined that this data was obtained by gaining unauthorized access to older third-party cloud file storage systems used in 2020 and earlier years. We estimate this will impact less than 25% of our current merchant base. This system was used at the time for internal operational documents and merchant onboarding materials.
This incident has no impact on our payment processing platform. The threat actors do not and never had access to merchant funds or card numbers.
This episode occurred when threat actors gained access to this third-party legacy system that was not properly shut down. This was our mistake and we take full responsibility for it.
We are sorry. We regret that this incident has caused concern to our partners and people. We have begun the process of identifying and contacting those affected and are working closely with law enforcement and relevant regulators. We are fully committed to maintaining your trust.
We will not be extorted by criminals. We will not pay this ransom.
Instead, we are turning this attack into an investment in the security of our entire industry. We will donate the ransom amount to Carnegie Mellon University and the Oxford University Center for Cyber Security (OXCIS) to support their research in the fight against cybercrime.
Security, transparency and trust are the foundations of our industry. We will admit our mistakes, protect our merchants, and invest in the fight against the criminal elements that threaten our digital economy.
We are here to assist our traders in every possible way. As always, we are available through your regular checkout contact point for any additional assistance or questions you may have.
Mariano Albera, Chief Technology Officer, Checkout.com