Checkout.com Breach Exposes Legacy Data: Company Stands Firm Against Ransom Demands
In a recent cybersecurity incident, Checkout.com, a prominent payment processing firm, disclosed that the hacking group ShinyHunters infiltrated an outdated third-party cloud storage system, compromising internal documents from prior years. The breach, attributed to the company’s oversight in decommissioning the legacy platform, affected less than 25% of its current merchant base, with critical payment infrastructure remaining secure.
The breach came to light when ShinyHunters, known for high-profile data thefts involving companies like Microsoft, AT&T, and Ticketmaster, contacted Checkout.com with ransom demands, claiming possession of sensitive data linked to the London-based fintech firm. Checkout.com processes billions in transactions annually for global e-commerce giants.
Upon investigation, Checkout.com confirmed unauthorized access to a cloud system used before 2020 for internal operational documents and merchant onboarding materials. Mariano Albera, the company’s Chief Technology Officer, acknowledged the oversight, stating, This was our mistake, and we take full responsibility.
Scope of the Data Breach
The compromised legacy system, managed by a third-party provider, was not properly retired, creating a vulnerability exploited by the hackers. Importantly, the attackers did not access the live payment processing platform; no merchant funds, card numbers, or real-time transaction data were compromised.
ShinyHunters, active since at least 2020, has a reputation for selling stolen data on dark web forums, often targeting financial and tech sectors. Their tactics typically involve exploiting misconfigurations or weak access controls, aligning with the decommissioning lapse in this case. Security experts highlight this incident as a reminder of the risks posed by zombie systems—forgotten infrastructure that remains vulnerable to cybercriminals.
Checkout.com’s Response and Commitment
Emphasizing transparency, Checkout.com has refused to yield to extortion. Albera declared, We will not pay this ransom. Instead, the company plans to donate an equivalent amount to Carnegie Mellon University and the University of Oxford’s Cyber Security Center, funding research to combat cybercrime.
Security, transparency, and trust are the foundation of our industry, Albera added. We will own our mistakes, protect our merchants, and invest in the fight against the criminal actors who threaten our digital economy.
The firm is now notifying affected merchants and collaborating with law enforcement and regulators to mitigate the fallout. Albera expressed regret, stating, We are sorry. We regret that this incident has caused worry for our partners, and offered direct support through account managers.
Industry Implications and Lessons Learned
This incident underscores the critical importance of diligent decommissioning processes for legacy systems. Outdated platforms, if not properly retired, can become significant vulnerabilities, providing entry points for cybercriminals.
Organizations are reminded to conduct regular audits of their IT infrastructure, ensuring that all systems, especially those no longer in active use, are securely decommissioned. Implementing robust access controls and continuously monitoring for unauthorized activities are essential steps in safeguarding sensitive data.
Furthermore, the decision by Checkout.com to refuse the ransom and instead invest in cybersecurity research sets a precedent for how companies can respond to such threats. By choosing to support initiatives aimed at combating cybercrime, organizations can contribute to the broader effort of enhancing digital security.
Conclusion
The Checkout.com data breach serves as a stark reminder of the ever-present threats in the digital landscape. It highlights the necessity for organizations to maintain vigilant security practices, ensure the proper decommissioning of legacy systems, and foster a culture of transparency and accountability. By learning from such incidents and investing in proactive measures, companies can better protect themselves and their stakeholders from future cyber threats.
