When companies face ransomware threats, responses often unfold behind closed doors. Checkout.com took a different approach.
In early November 2025, the global payments firm was targeted by ShinyHunters, a well-known cybercrime group. The attackers accessed a legacy third-party cloud storage system that remained online despite no longer being actively used. The exposed data included internal operational documents and merchant onboarding materials dating to 2020 and earlier.
Checkout.com Chief Technology Officer Mariano Albera publicly acknowledged the incident and accepted responsibility. He said the breach affected an estimated 25 percent of current customers, a disclosure that set an unusually transparent tone for an active cyber extortion case.
Rather than engage in ransom negotiations or pursue costly legal action, Checkout.com announced it would redirect funds typically allocated for such responses into independent cybersecurity research. The company said the goal was to support broader efforts to understand cybercrime patterns, improve cloud security practices, and help prevent similar incidents across the fintech sector.
The move signaled a refusal to financially reward extortion attempts while preserving the company’s operational and financial stability. It also underscored a leadership approach centered on accountability and direct communication during a security incident.
Industry analysts note that transparency during cyber incidents can play a critical role in maintaining trust with customers and partners. By clearly outlining what happened and limiting speculation, organizations can reduce uncertainty and reputational damage.
Checkout.com said it plans to use the incident as a catalyst for improving internal security practices and contributing to industry-wide defenses. The company highlighted several lessons for organizations facing similar threats, including eliminating unused or unmonitored systems, proactively communicating with stakeholders, and investing in preventative security research rather than reactive payments.
ShinyHunters sought financial leverage through a ransomware demand. Instead, Checkout.com used the incident to reinforce its security posture and promote broader cybersecurity resilience. The case illustrates how leadership decisions during cyber incidents can shape outcomes well beyond the immediate breach.
