I love this part (no trolling from me):
> We are sorry. We regret that this incident has caused worry for our partners and people. We have begun the process to identify and contact those impacted and are working closely with law enforcement and the relevant regulators. We are fully committed to maintaining your trust.
If i was a customer id be pissed off, but this is as good as a response you can have to an incident like this.
- timely response
- initial disclosure by company and not third party
- actual expression of shame and remorse
- a decent explanation of target/scope
i could imagine being cyclical about the statement, but look at other companies who have gotten breached in the past. very few of them do well on all points
The donation is more or less virtue signaling rather than actual insight.
The problem can not be helped by research research against cybercrime. Proper practices for protections are well established and known, they just need to be implemented.
The amount donated should've rather be invested into better protections / hiring a person responsible in the company.
(Context: The hack happened on a not properly decomissioned legacy system.)
> The attackers gained access to a legacy, third-party cloud file storage system.
I think the answer is ok but the "third-party" bit reads like trying to deflect part of the blame on the cloud storage provider.
I dont understand some of the cynicism in this thread. This is a bold move and I support. It is impossible to not have incidents like this and until theres a proper post mortem we wont really know how much of it can be attributed to carelessness. They could have just kept is hush hush but I appreciate that they came forward with it and also donated money to academia. The research will be open and everybody benefits.
"The system was used for internal operational documents and merchant onboarding materials at that time"
To me it seems most likely that this is data collected during the KYC process during onboarding, meaning company documents, director passport or ID card scans, those kind of things. So the risk here for at least a few more years until all identity documents have expired is identity theft possibilities (e.g. fraudsters registering their company with another PSP using the stolen documents and then processing fraudulent payments until they get shut down, or signing up for bank accounts using their info and tax id).
While a nice gesture, I'm not so certain that if I were one of their "less than 25%" of customers impacted that I'd be so pleased. Why not compensate them instead?
I don't think they meant OXCIS, that seems to be a centre for Islamic Studies https://en.wikipedia.org/wiki/Oxford_Centre_for_Islamic_Stud...
I can't quite work out who they donated to - it seems there are a number of Oxford Uni cybersec/infosec units. Any idea which one?
So, I used to work in the fintech world and it looks to me like what was hacked was merchant KYB documents. I.e. when a merchant signs up for a PSP they have to provide various documentation about the business so the PSP can underwrite the risk of taking on this business. I.e. some PSPs won't deal with porn companies or travel companies or companies from certain regions etc.
This sort of data is generally treated very differently to the actual PANs and payment information (which are highly encrypted using HSMs).
So it's obviously shitty to get hacked, but if it was just KYB (or KYC) type information, it's not harming any individuals. A lot of KYB information is public (depending on country).
Fair play on them for being open about this.
When they say "The episode occurred when threat actors gained access to this third party legacy system which was not decommissioned properly. " for me it sounds like a not properly wiped disk that got into the the bad guys hands. It would be interesting to know more to be prepared for proper decommissioning of hardware.
I wish they disclose the donated amount and if the target departments will help the company in any way in reverse.
Interesting spin for a core infrastructure provider who deals with the most sensitive part of most businesses, tries to bury the lede of getting hacked with a tale of their virtuous refusal to pay a ransom; is this supposed to make them attractive or just have people skip the motivating events? Swing and a miss in my books.
Isn't it illegal in many countries to pay a ransom?
(If not, why not?)
(Imho, it would make sense if only the state can pay ransoms)
They're "sorry", they want to be "transparent" and "accountable", they want your "trust", but not enough to publicly explain what happened or what kind of data got taken (is a full CRM backup from 6 years ago considered "legacy" "internal operational documents"?). There's not even a promise to produce more information about their mistake.
> Jimmy, where did the cookies go?
> Something that was on the counter is gone! I don't know how! It might not even be my fault! But I'm sorry!
What kind of an apology is that? It's not. It's marketing for the public while they contact the "less than 25% of [their] current merchant base" whose (presumably sensitive) information was somehow in "internal operational documents".
Oh but also took some of what they charge their customers and gave that (undisclosed?) sum away to a university. They must be really sorry.
Sometimes cyber insurance will come to the rescue. That’s why companies Don’t pay.
Bravo - I find this incredibly courageous and will consider being their customer in the future.
Giving me MBA vibes. Will they close up shop and go when it's the remaining 75% of their infrastructure next time?
Could this be aws s3?
If everyone refuses to pay, such incidents would largely reduce.
They are downplaying the severity of the data theft, which most likely includes user identification documents, the most dangerous type of breach, since it directly enables identity theft
Reading between the lines reveals the severity they're obfuscating, with contradictions:
> This incident has not impacted our payment processing platform. The threat actors do not have, and never had, access to merchant funds or card numbers.
> The system was used for internal operational documents and merchant onboarding materials at that time.
> We have begun the process to identify and contact those impacted and are working closely with law enforcement and the relevant regulators
They stress that "merchant funds or card numbers" weren't accessed, yet acknowledge contacting "impacted" users, this begs the question: how can users be meaningfully "impacted" by mere onboarding paperwork?
> The threat actors do not have, and never had, access to merchant funds or card numbers.
> The system was used for internal operational documents and merchant onboarding materials at that time.
Ah so just all of your KYC for founders, key personnel, and the corporation to impersonate business accounts
> We estimate that this would affect less than 25% of our current merchant base.
Yikes, this affects 25% of their current merchant base.
"Checkout.com hacked" -> links to checkout.com lol
> Checkout.com hacked, refuses ransom payment, donates to security labs
This submission's edited title reads like the "target headline" from The Office (US):
> Scranton Area Paper Company - Dunder Mifflin - Apologizes - to Valued Client - Some Companies - Still Know - How - Business - is - Done
At this point I think we all understand that we will never be able to trust any company in this world with our data.
In most cases they can get away with "We are sorry" and "Trust me, bro" attitude.
[dead]
[dead]
[flagged]
This should be law. Any company that is hacked should be required by law to make a sizeable investment in a third-party security research company.
I have checkout.me domain, and it is for sale. email me if you want to get it.
It’s notable that there were ShinyHunters members arrested by the FBI a few years ago. I was in prison with Sebastian Raoult, one of them. We talked quite a bit.
The level of persistence these guys went through to phish at scale is astounding—which is how they gained most of their access. They’d otherwise look up API endpoints on GitHub and see if there were any leaked keys (he wasn’t fond of GitHub's automated scanner).
https://www.justice.gov/usao-wdwa/pr/member-notorious-intern...