Checkout.com hacked, refuses ransom payment, donates to security labs

Original Article ↗ Hacker News Discussion ↗

Perception of the Apology & Transparency

  • Some readers found the statement unusually direct and human, praising explicit acceptance of responsibility and the refusal to pay ransom.
  • Others argued it was a stylized “non-apology”: apologizing for customers’ worry rather than explicitly for security failures, avoiding clear descriptions of what exactly was stolen and how it will be prevented in future.
  • Debate over what a “real” corporate apology should include: clear admission of fault, explanation of root causes, concrete remediation steps, and possibly compensation.
  • Wording like “maintaining your trust” vs. “rebuilding” or “restoring” trust was scrutinized as signaling how seriously the company takes the incident.
  • Some see the disclosure timeline as relatively fast by industry standards; others note the breach was detected only when attackers contacted the company.

Scope and Nature of the Breach

  • Attackers accessed a legacy third‑party cloud storage system that wasn’t properly decommissioned.
  • Commenters infer this likely held merchant onboarding / KYB–KYC materials: corporate documents, questionnaires, and possibly ID/passport scans and tax IDs for directors/owners.
  • Main concern is identity theft and high‑quality phishing against merchants, not card data loss.
  • Several accuse the company of emphasizing what was not accessed (funds, card numbers) while being vague about what was taken and downplaying “less than 25%” impact.

Ransom Refusal, Donation & “Virtue Signaling”

  • Many strongly support refusing ransom on principle: paying is seen as unreliable (no proof of deletion) and fuels further attacks.
  • Others argue pragmatically that paying often lowers the chance of public leaks and may best protect customers; they note ransom payments are common and generally legal if sanctions are observed.
  • The decision to donate the ransom-sized amount to security research is praised as a meaningful, costly signal and a “middle finger” to attackers.
  • Critics call it PR or virtue signaling, suggesting funds should instead strengthen internal security or compensate affected customers and that research won’t fix basic hygiene failures.

Security Practices & Systemic Issues

  • Split between “everybody gets hacked; what matters is response” and “leaving sensitive data on abandoned systems is basic negligence, not inevitability.”
  • Emphasis on data minimization, aggressive decommissioning of legacy systems, and deleting unneeded data/accounts to limit blast radius.
  • Some propose structural responses: banning ransom payments, mandating post‑breach spend on independent security, or more aggressive international cybercrime enforcement.