Hackers breached Sinqia S.A., a Brazilian subsidiary of Evertec, gaining unauthorized access to its environment on Brazil’s Central Bank real-time payment system (Pix) on August 29, 2025. The attackers exploited stolen credentials from an IT vendor’s account to attempt unauthorized business-to-business transactions, targeting $130 million across two financial institutions (including HSBC, per local media). While part of the funds were recovered, the full financial and reputational damage remains unclear. Sinqia’s Pix access was revoked by the Central Bank, disrupting operations for 24 financial institutions relying on its infrastructure. No personal data was exposed, but the incident triggered forensic investigations and regulatory scrutiny. The attack highlights vulnerabilities in third-party vendor security and the risks of real-time payment system exploits, with potential material financial and reputational consequences for Sinqia and Evertec.
TPRM report: https://www.rankiteo.com/company/sinqia
"id": "sin507090325",
"linkid": "sinqia",
"type": "Cyber Attack",
"date": "8/2025",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': '24 financial institutions '
'(including HSBC)',
'industry': 'financial software and IT services',
'location': 'São Paulo, Brazil',
'name': 'Sinqia S.A.',
'type': 'subsidiary (public company)'},
{'industry': 'financial technology (transaction '
'processing)',
'location': 'Latin America, Puerto Rico, Caribbean '
'(HQ: San Juan, Puerto Rico)',
'name': 'Evertec, Inc.',
'type': 'parent company (public)'},
{'customers_affected': 'none (no impact on customer '
'funds/data)',
'industry': 'banking',
'location': 'Brazil',
'name': 'HSBC (Brazil)',
'type': 'financial institution (customer of Sinqia)'}],
'attack_vector': ['stolen credentials (IT vendor account)',
'business-to-business transaction fraud'],
'customer_advisories': ['HSBC statement (no customer impact)'],
'data_breach': {'sensitivity_of_data': 'none',
'type_of_data_compromised': 'none'},
'date_detected': '2025-08-29',
'date_publicly_disclosed': '2025-08-29',
'description': 'Hackers gained unauthorized access to Sinqia S.A.’s '
'environment on Brazil’s Central Bank real-time payment system '
'(Pix) and attempted to steal $130 million. The breach was '
'detected on August 29, 2025, prompting Sinqia to halt Pix '
'transaction processing. Part of the stolen amount has been '
'recovered, and investigations revealed the use of stolen '
'credentials from an IT vendor’s account. Sinqia’s access to '
'Pix was revoked by the Central Bank of Brazil pending '
'restoration. The incident impacted 24 financial institutions, '
'including HSBC (though no customer funds or data were '
'compromised). The full financial and reputational impact '
'remains unknown.',
'impact': {'brand_reputation_impact': 'potentially material (under '
'assessment)',
'data_compromised': 'none (no evidence of personal data exposure)',
'downtime': 'Pix transaction processing halted; access revoked by '
'Central Bank of Brazil (restoration in progress)',
'financial_loss': '$130 million (attempted theft; partial recovery '
'ongoing)',
'identity_theft_risk': 'none',
'operational_impact': 'Disruption to 24 financial institutions '
'using Sinqia’s Pix services',
'payment_information_risk': 'none (no customer funds or data '
'compromised)',
'systems_affected': ['Sinqia’s Pix payment environment']},
'initial_access_broker': {'entry_point': 'IT vendor account (stolen '
'credentials)',
'high_value_targets': ['Pix payment system',
'business-to-business '
'transactions']},
'investigation_status': 'ongoing (partial fund recovery; Pix access '
'restoration pending)',
'motivation': 'financial gain',
'post_incident_analysis': {'root_causes': ['compromised IT vendor '
'credentials']},
'references': [{'date_accessed': '2025-08-29', 'source': 'Evertec SEC Filing'},
{'source': 'Local Media Reports (HSBC Implication)'}],
'regulatory_compliance': {'regulatory_notifications': ['U.S. Securities and '
'Exchange Commission '
'(SEC)',
'Central Bank of '
'Brazil']},
'response': {'communication_strategy': ['SEC filing', 'media statements'],
'containment_measures': ['halted Pix transaction processing'],
'incident_response_plan_activated': True,
'remediation_measures': ['working with authorities to restore '
'Pix access',
'recovery of stolen funds'],
'third_party_assistance': ['cybersecurity forensics experts']},
'stakeholder_advisories': ['SEC filing',
'Central Bank of Brazil notifications'],
'title': 'Unauthorized Access and Attempted Theft of $130 Million from Sinqia '
'S.A. via Brazil’s Pix Payment System',
'type': ['unauthorized access', 'fraud attempt', 'credential theft'],
'vulnerability_exploited': 'Weak credential security (IT vendor account '
'compromise)'}