
Nayax refuses to pay ransom after cyberattack despite threat to leak stolen data
The fintech company says hackers accessed data from a subsidiary's cloud account but did not breach its core systems or obtain sensitive payment credentials. It expects no material financial impact from the incident.
About a week after reporting a cybersecurity incident to the U.S. Securities and Exchange Commission (SEC), fintech company Nayax, which develops payment and commerce solutions and is listed on both the Tel Aviv Stock Exchange and Nasdaq, today published the findings of its internal investigation. The company also confirmed that it has decided not to comply with the attackers' ransom demands, despite threats to publish the stolen data if payment is not made by July 21.
At the heart of the announcement is the company's decision "not to comply with the extortion demands of the criminal actors involved." Nayax's board of directors said the decision was based on the view that "compliance with such demands is not consistent with the long-term interests of the company's customers, partners, employees, and shareholders."
Nayax said it "has completed a comprehensive review of its systems and all technical response and containment activities related to the incident. The company's systems have been cleared, and based on the findings of the investigation conducted to date, it has been confirmed that they are free of any unauthorized access." The company reiterated that its production environment and core systems were never compromised and that business operations continue as normal.
The investigation did confirm that data was exfiltrated from a cloud account belonging to one of the company's subsidiaries. According to Nayax, the stolen information includes "a backup of scanned documents, additional business information, and, most significantly, a backup copy of payment transaction records."
However, the company sought to reassure customers and investors that the compromised data does not include sensitive payment credentials or personally identifiable payment information. Nayax said the transaction backup "does not include sensitive payment verification data, such as cardholder names, CVV codes, or identification numbers, as this type of information is neither collected nor generally stored in the company's systems."
The company added that much of the potential risk is mitigated by the widespread use of digital wallets. "A significant portion of the transactions were carried out using digital wallets such as Apple Pay and Google Pay, where the payment credential is replaced with a one-time token that cannot be reused to initiate transactions, even if exposed." Based on the investigation, Nayax said customer funds remain fully secure and there has been no unauthorized access to customer accounts.
Nayax added that it has incurred, and expects to continue incurring, costs related to incident response, system restoration, forensic investigations, and crisis management. The company said the full financial impact of the incident, including potential insurance recoveries and any effect on customer behavior, has yet to be determined. Nevertheless, it does not expect the incident to have a material impact on its financial condition or annual results.
"As of the date of this report, the company does not expect the event to have a material impact on its financial condition or results of operations," Nayax said.














