Breach taxonomy
Summary
On August 29, 2025, Sinqia S.A., a Brazilian subsidiary of EVERTEC, Inc., identified unauthorized activity in its Pix real-time payment environment. Approximately R$710 million (~$142M USD) in unauthorized B2B transactions affecting two financial institution customers were processed through Sinqia's Pix environment via exploited legitimate IT vendor credentials. The BCB prohibited Sinqia from resuming processing in the Brazilian Payments System (SPB) pending review and approval. Forensic analysis confirmed the breach was limited to Sinqia's Pix environment through third-party IT vendor credential exploitation. Filed under Item 8.01; materiality not yet determined as of filing date.
Tagging rationale
ThreatUnknown
Filing does not attribute the incident to a specific actor; credentials were exploited but no group or actor type identified → UNKNOWN.
MethodsAccount TakeoverSupply Chain
Filing states 'unauthorized transactions were introduced into Sinqia's Pix environment by exploiting legitimate Sinqia IT vendors' credentials' — IT vendor credential exploitation is a supply chain attack vector combined with account takeover → ACCOUNT-TAKEOVER + SUPPLY-CHAIN.
AssetsCash EquivalentRevenue Process
Approximately R$710M in unauthorized financial transactions were processed through Sinqia's Pix environment, directly affecting cash/cash equivalents; Pix transaction processing operations (revenue-generating service) were halted → CASH-EQUIVALENT + REVENUE-PROCESS.
EffectsFinancial FraudBiz Interruption
Approximately R$710M in unauthorized transactions constitutes financial fraud; BCB prohibited Sinqia from resuming Pix/SPB processing, halting payment operations for 24 financial institution customers → FINANCIAL-FRAUD + BIZ-INTERRUPTION.
Business continuityFailed
BCB informed Sinqia it would not be permitted to resume processing until BCB reviews and approves actions taken; payment processing remained offline with no restored timeline as of filing → Failed.
Impact
Approximately R$710M (~$142M USD) in unauthorized transactions with ongoing recovery efforts; BCB prohibition on resuming Brazil payment processing for 24 financial institution customers with potentially material financial and reputational impact → score 4.
InsuranceNot disclosed
Filing states the company has not yet determined 'the applicability of any insurance coverage' — this indicates uncertainty, not confirmation; no insurance claim made → null.
Read the original SEC filing excerpt
Item 8.01 Other Events On August 29, 2025, Sinqia S.A. (Sinqia), a Brazilian subsidiary of EVERTEC, Inc. (Evertec or the Company), identified unauthorized activity in its environment of the Brazilian Central Bank (BCB) real-time payment system known as Pix. Upon detecting the incident, and in accordance with its incident response protocol, Sinqia halted transaction processing in its Pix environment and began working with outside cybersecurity forensics experts. Subsequently, the BCB informed Sinqia that it would not be permitted to resume processing transactions in the Brazilian Payments System (SPB) and Pix until the BCB reviews and approves the actions taken. Sinqia communicated promptly with federal and state law enforcement authorities in Brazil and the financial institution customers using its Pix environment. This matter affects a single application in Brazil, and no other Evertec products or services are impacted. The unauthorized activity is related to Business-to-Business financial transactions involving two financial institutions that are customers of Sinqia's Pix transaction processing services. The Company believes that approximately R$710 million in unauthorized transactions affecting those two Sinqia customers were processed through Sinqia's Pix environment on August 29, 2025. The Company has been informed that a portion of that amount has been recovered and additional recovery efforts are ongoing. Preliminary results of the Company's forensics analysis indicate that the unauthorized transactions were introduced into Sinqia's Pix environment by exploiting legitimate Sinqia IT vendors' credentials. Sinqia has terminated access to these credentials. The Company believes the incident is limited to Sinqia's Pix environment and has not identified any unauthorized activity in any other Sinqia systems outside of Pix in Brazil. The Company also has no indication that any personal data has been compromised.