UK-based payment services provider **Checkout.com** experienced a security breach involving its **legacy third-party cloud file storage system**, compromised by the **ShinyHunters extortion group**. The attackers demanded a ransom, which the company refused to pay directly. Instead, Checkout.com redirected the demanded amount to **Carnegie Mellon University** and the **University of Oxford Cyber Security Center** to fund cybercrime research. The incident highlights risks associated with third-party cloud vulnerabilities, exposing potential data leaks or operational disruptions. While the company avoided direct ransom payment, the attack underscores the persistent threat of **ransomware-driven extortion** targeting financial service providers. The breach’s scope—whether customer or internal data was accessed—remains undisclosed, but the involvement of a high-profile threat actor suggests significant exposure risks. The decision to fund research rather than pay ransom aligns with ethical cybersecurity practices but does not eliminate the initial compromise’s impact on trust and system integrity.
Source: https://www.scworld.com/brief/alleged-massive-steam-breach-downplayed
Checkout.com cybersecurity rating report: https://www.rankiteo.com/company/checkout
"id": "CHE5363553111725",
"linkid": "checkout",
"type": "Ransomware",
"date": "5/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'financial services (payments)',
'location': 'United Kingdom',
'name': 'Checkout.com',
'type': 'payment services provider'}],
'attack_vector': ['compromised legacy third-party cloud file storage'],
'data_breach': {'data_exfiltration': True},
'date_publicly_disclosed': '2025-11-14',
'description': 'UK-based payment services provider Checkout.com experienced a '
'compromise of its legacy third-party cloud file storage '
'system by the ShinyHunters extortion group. Instead of paying '
'the ransom, Checkout.com donated the demanded amount to '
'Carnegie Mellon University and the University of Oxford Cyber '
'Security Center for cybercrime research.',
'impact': {'brand_reputation_impact': 'potential negative impact (public '
'disclosure of breach)',
'data_compromised': True,
'payment_information_risk': 'potential (payment services provider)',
'systems_affected': ['legacy third-party cloud file storage']},
'initial_access_broker': {'entry_point': ['legacy third-party cloud file '
'storage']},
'investigation_status': 'ongoing (implied by public disclosure)',
'motivation': ['financial gain', 'extortion'],
'post_incident_analysis': {'corrective_actions': ['donation to cybercrime '
'research instead of ransom '
'payment'],
'root_causes': ['compromise of legacy third-party '
'cloud storage']},
'ransomware': {'data_exfiltration': True, 'ransom_demanded': True},
'references': [{'date_accessed': '2025-11-14', 'source': 'The Register'}],
'response': {'communication_strategy': ['public denial of ransom payment via '
'The Register'],
'incident_response_plan_activated': True,
'remediation_measures': ['donated ransom amount to cybercrime '
'research (Carnegie Mellon University, '
'University of Oxford)']},
'threat_actor': ['ShinyHunters'],
'title': 'Checkout.com Ransomware Incident by ShinyHunters (2025)',
'type': ['ransomware', 'data breach', 'extortion']}