A recent cybersecurity breach targeted the Brazilian subsidiary of financial technology giant Evertec, with hackers attempting to siphon off $130 million. The incident, which occurred on August 29, 2025, involved unauthorized access to the environment of Sinqia S.A. on the Central Bank of Brazil’s real-time payment system, Pix. According to a U.S. Securities and Exchange Commission (SEC) filing by Evertec, the hackers exploited stolen credentials belonging to an IT vendor to gain entry into Sinqia’s systems. This breach led to an attempt to execute unauthorized business-to-business transactions involving two of Sinqia’s financial institution clients. Upon detecting the suspicious activity, Sinqia’s incident response protocol was immediately activated, leading to the halting of all transaction processing within its Pix environment.
The targeted payment system, Pix, is Brazil’s highly popular and widely used instant payment platform, enabling 24/7 fund transfers.
Its ubiquity has also made it a frequent target for malicious cyber activities, including those involving Android banking malware. In this specific incident, the unauthorized access allowed the hackers to initiate transactions aimed at stealing a substantial sum. Although local media reports implicated HSBC bank in the incident, a spokesperson for the bank clarified that no customer funds or data were affected. This reassurance highlights the contained nature of the breach, which appears to have been limited to the operational environment of Sinqia rather than extending to end-user accounts. The swift action taken by Sinqia in halting transactions was a critical step in mitigating potential further losses.
Evertec has provided some details regarding the recovery efforts and the scope of the incident.
The company stated in its SEC filing that a portion of the $130 million has already been successfully recovered, though the exact amount was not disclosed. Recovery efforts are reportedly ongoing as the company works with outside cybersecurity forensics experts to trace and reclaim the remaining funds. Crucially, Evertec has found no evidence that the breach extended beyond Sinqia’s Pix environment or that any personal data was exposed. This is a significant point of relief, as the exposure of sensitive personal information could have led to more severe repercussions for both the company and its clients.
In response to the security breach, the Central Bank of Brazil has temporarily revoked Sinqia’s access to the Pix system. This action is a standard precautionary measure to prevent any further unauthorized activity and to ensure the integrity of the payment network. Sinqia is actively working to restore its access by providing the necessary details and assurances to the authorities. The company’s quick response and cooperation with the central bank are vital for demonstrating its commitment to security and regaining its operational status on the platform. The incident underscores the vulnerabilities inherent in real-time payment systems and the critical need for robust security protocols, especially when third-party vendors are involved.
Despite the ongoing recovery efforts and the containment of the breach, the full financial and reputational consequences for Evertec and Sinqia remain uncertain. Evertec’s SEC filing explicitly noted that “the financial and reputational impact of the incident, including any impact on the Company’s internal controls, are not yet known and could be material.” This statement acknowledges the potential for significant damage, not only in terms of direct financial loss but also to the company’s reputation and its relationships with the 24 financial institutions that rely on Sinqia’s Pix environment for their operations. The incident serves as a stark reminder of the continuous and evolving threats faced by financial technology companies and the importance of resilient cybersecurity defenses and incident response plans.
Reference:
