Global payment service provider Checkout.com has disclosed a data breach after a known hacking group attempted to extort it.
The incident, Checkout says, involved a legacy, third-party cloud file storage system that had not been used since 2020, and did not affect its payment processing platform.
“The system was used for internal operational documents and merchant onboarding materials at that time,” the company says.
“The episode occurred when threat actors gained access to this third-party legacy system which was not decommissioned properly. This was our mistake, and we take full responsibility,” Checkout notes.
According to the platform, the attackers did not access merchant funds or card numbers.
Checkout has launched an investigation into the attack to determine its scope and identify the affected entities. It has reported the attack to law enforcement and the relevant regulators.
The attack, the company says, was claimed by the notorious ShinyHunters extortion group, which emerged in 2020 and joined forces with Scattered Spider earlier this year. In September, Scattered Spider and ShinyHunters jointly announced their retirement.
In October, a new group called Scattered LAPSUS$ Hunters – likely an offshoot of Lapsus$, Scattered Spider, and ShinyHunters – emerged and claimed responsibility for a Salesforce campaign that impacted dozens of organizations.
The group leaked millions of records allegedly stolen from compromised Salesforce instances and also attempted to extort Salesforce, but the company said the hackers’ claims were related to past or unsubstantiated incidents.
Their attempt to extort Checkout failed too. “We will not be extorted by criminals. We will not pay this ransom,” the company said.
“Instead, we are turning this attack into an investment in security for our entire industry. We will be donating the ransom amount to Carnegie Mellon University and the University of Oxford Cyber Security Center to support their research in the fight against cybercrime,” Checkout added.
Related: In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
Related: CISA Confirms Exploitation of Latest Oracle EBS Vulnerability
Related: Scattered Spider Suspect Arrested in US
Related: Oracle Says Known Vulnerabilities Possibly Exploited in Recent Extortion Attacks
