Digitial extortion is a huge business, because affected orgs keep forking over money to get their data back. However, instead of paying a ransom demand after getting hit by extortionists last week, payment services provider Checkout.com donated the demanded amount to fund cybercrime research.
And – perhaps even more unusual than refusing to pay the extortionists’ demand – Chief Technology Officer Mariano Albera said that his company takes “full responsibility” for the security incident, and apologized for the circumstances that allowed the breach to happen.
“We are sorry. We regret that this incident has caused worry for our partners and people,” Albera said in a Wednesday blog.
“We will not be extorted by criminals,” he added. “We will not pay this ransom.”
The CTO said ShinyHunters contacted his company last week, claimed to have stolen data, and demanded a ransom. Albera didn’t specify how much money the criminals wanted in exchange for files, and Checkout.com declined to comment on this when contacted by The Register.
After launching its own internal investigation, the payment services firm determined that the crooks had broken into a “legacy third-party cloud file storage system” that wasn’t properly decommissioned and was used in 2020 and prior years.
Again, no word on which third-party storage system ShinyHunters breached to gain access to Checkout.com’s data, but this is the crime gang that broke into Snowflake customers’ databases last year. More recently, the crew breached dozens of orgs’ Salesforce databases.
According to Albera, Checkout.com used this compromised cloud database “for internal operational documents and merchant onboarding materials” in 2020 and prior years, and the intrusion affected less than 25 percent of its existing merchant base.
“This incident has not impacted our payment processing platform,” he wrote. “The threat actors do not have, and never had, access to merchant funds or card numbers.”
In addition to apologizing to its customers and partners for the security snafu, the company is in the process of contacting impacted customers and is “working closely with law enforcement and the relevant regulators.”
Plus, instead of caving to the crims’ demand, Albera said the company will donate the ransom amount to Carnegie Mellon University and the University of Oxford Cyber Security Center to support cybercrime research.
“Security, transparency and trust are the foundation of our industry,” he wrote. “We will own our mistakes, protect our merchants, and invest in the fight against the criminal actors who threaten our digital economy.”
While we anticipate a full post-mortem in the coming weeks after Checkout.com finishes its investigation, we commend the company and its execs for taking ownership, apologizing, and not funding the criminals’ business (although we do understand that choice – to pay or not to pay – depends on several factors including the victim org’s sector and can ultimately become a life or death decision).
But after all of the lies, damned lies, and marketing BS that we typically see after a ransomware attack or any other security incident, it’s refreshing to read a bit of truth and transparency from Checkout.com, and we hope other companies take note. ®
Correction: Although thieves stole data from Checkout.com, no ransomware was involved.