Checkout, a UK-based financial tech firm, recently suffered a data breach orchestrated by the cybercriminal group ShinyHunters, who have demanded a ransom for stolen merchant data. In response, the company announced it would not pay the ransom but instead donate the equivalent amount to Carnegie Mellon University and the University of Oxford Cyber Security Center to fund cybercrime research initiatives.
The breach occurred after ShinyHunters gained unauthorized access to a legacy third-party cloud storage system used by Checkout in 2020 and earlier. This system, which had not been properly decommissioned, contained internal operational documents, onboarding materials, and data from a significant portion of company’s merchant base, including past and current customers. The company estimates that less than 25% of its current merchant base was affected by the incident.
The tech firm provides payment processing services to major global brands such as eBay, Uber Eats, adidas, GE Healthcare, IKEA, Klarna, Pinterest, Alibaba, Shein, Sainsbury’s, Sony, DocuSign, Samsung, and HelloFresh, managing billions in merchandise revenue. The company’s systems include a unified payments API, hosted payment portals, mobile SDKs, and plugins for existing platforms, along with fraud detection, identity verification, and dispute management features.
ShinyHunters is an international threat group known for targeting large organizations, often leveraging phishing, OAuth attacks, and social engineering to infiltrate systems and extort ransom payments. The group has recently exploited the Oracle E-Business Suite zero-day vulnerability (CVE-2025-61884) and carried out attacks on Salesforce and Drift systems affecting multiple organizations earlier in the year.
Despite the pressure to pay a ransom to prevent the leaked data from being published, Checkout has refused and opted for a different strategy. The company will invest in strengthening its own security infrastructure and protecting its customers more effectively in the future. Additionally, the company has committed to supporting academic research in cybersecurity by channeling the intended ransom funds to prestigious universities.
Checkout has not disclosed the identity of the compromised third-party cloud file storage system or the specific breach method. The company continues to work on bolstering its defenses and has emphasized its commitment to transparency and customer protection. This decision sets a notable precedent for organizations facing ransomware demands, highlighting the importance of proactive security investment and responsible action in the face of cyber threats.
