Online payment processor Checkout.com was attacked earlier this month by the high-profile extortion group ShinyHunters, which claimed it had breached a server and stolen data and was now demanding the London-based company pay a ransom.

Checkout.com executives said the company will not pay the ransom and, instead, will donate the undisclosed amount demanded to two universities to help fund their cybersecurity research.

“We will not be extorted by criminals,” Checkout.com CTO Mariano Albera wrote this week in a blog post outlining the attack and the company’s response. “We will not pay this ransom. … Security, transparency and trust are the foundation of our industry. We will own our mistakes, protect our merchants, and invest in the fight against the criminal actors who threaten our digital economy.”

The company’s quick disclosure of the data breach and strong response was a welcomed step, but the attack also served as another reminder of the risks posed by corporate systems that are no longer being used but have not been properly decommissioned.

Legacy Third-Party System Hacked

According to Albera, the ShinyHunters attackers accessed a legacy third-party cloud file storage system that was last used by Checkout.com in 2020 to hold internal operational documents and merchant onboarding materials. He said that less than a quarter of the company’s current merchant base will be affected by the breach, and that the “incident has not impacted our payment processing platform. The threat actors do not have, and never had, access to merchant funds or card numbers.”

Still, the CTO offered a mea culpa for the incident, pointing to the improper decommissioning of the systems.

“This was our mistake, and we take full responsibility,” he wrote. “We are sorry. We regret that this incident has caused worry for our partners and people.”

Checkout.com is identifying and contacting companies that were impacted. It also is working with law enforcement agencies and regulators. The money that the attackers demanded will be sent to Carnegie Mellon University and the University of Oxford Cyber Security Center.

Shut Down Old, Unused Technology

Cyberattacks involving older systems that were badly decommissioned or not decommissioned at all is not unusual. In 2021, DNA-testing center DNA Diagnostics Center (DDC) made headlines when it was hit by a massive data breach in which health and personal information – including names, credit and debit card numbers, and financial account numbers – was exfiltrated.

Among the systems the hackers compromised using the Cobalt Strike tool was a database inherited by DDC when it bought a smaller company in 2012 and that contained older backups from between 2004 and 2012 and that wasn’t linked to DDC’s active systems or databases. The fallout of the breach included not only the disclosure of some of the data, but also the damage to the company’s reputation and its finances in the fines it had to pay, according to business consultancy The TJC Group.

It was a lesson in the importance of managing such legacy systems, according to Laura Parri Royo, marketing director at The TJC Group, and Audren Butery, a SAP consultant with the consultancy.

“Legacy system decommissioning is one of the areas of IT infrastructure management that commonly gets neglected,” Royo and Butery wrote last month. “It’s not exactly exciting and cutting-edge compared with other projects, so this tendency is unsurprising. Yet in today’s world, where levels of cybercrime continue to grow exponentially, this is possibly the single most expensive mistake a CTO can make. Legacy system decommissioning is a strategic IT issue – for lots of reasons.”