Nayax says it will not pay ransom after data breach
The Israeli payments platform said hackers copied backup data, but customer safeguarded funds and sensitive card details were not accessed.
By Ingrid Halvorsen · Staff Writer
· 2 min read
Nayax said it will not pay a ransom after hackers stole data in a recently disclosed breach, while the Israeli payments and loyalty platform said customer safeguarded funds were not affected. The company said its review found no unauthorized access to those accounts and no exposure of cardholder names, CVV values or identification information.
The company, which provides payments and loyalty services to merchants, said it had completed a system review and remediation work after revealing the incident earlier this month. Nayax said those steps left its systems free of unauthorized access.
According to Nayax, its investigation found that the attackers obtained a copy of a backup that included scanned documents, some additional business-related information and mainly backed-up payment transaction records. The company said the transaction records did not contain sensitive data such as cardholder names, CVV codes or ID information.
Some transactions covered by the copied records involved digital wallets including Apple Pay and Google Pay, Nayax said. In those cases, the company said, payment credentials are represented by single-use tokens, which are designed to be unusable if exposed.
Board rejects ransom demand
The Nayax board said it would not “comply with criminal extortion demands” and that the company is working with law enforcement. Nayax did not disclose the size of the ransom demand, the identity of the attackers or the number of customers affected in the details it released.
The company’s statement draws a distinction between transaction data copied from a backup and direct access to funds held for customers. Nayax said all customer safeguarded funds remained untouched, and that its investigation did not identify unauthorized access to those safeguarded accounts.
Backups can carry operational and customer records even when production systems are secured after a breach. In this case, Nayax said the copied material included document scans, business-related information and transaction records, while excluding the card security and identity fields that often increase fraud and account-takeover risk when exposed.
Digital wallet transactions add another layer to the company’s assessment. Nayax said some of the affected transactions used Apple Pay or Google Pay, where payment credentials are handled through one-time tokens rather than reusable card details. The company said those tokens have no value if disclosed.
Nayax did not report any loss of safeguarded customer funds and said it has removed unauthorized access from its environment after the review and remediation process. The company said it is continuing to cooperate with law enforcement following the extortion attempt.
This story draws on original reporting from Finextra Research.