Cyber Incident Victim: TSYS
Date:
Dec 2020
Location:
United States of America
Summary
A ransomware attack targeted payment processing giant TSYS, conducted by the Conti group using malware also known as Ryuk. The attackers exfiltrated and publicly released over 10 gigabytes of data, threatening further disclosures while claiming prepaid card data was compromised. TSYS confirmed the incident affected administrative systems supporting a legacy merchant business unit—identified as Cayan—but asserted transaction processing systems remained isolated and operational without card data exposure. The company characterized the breach as immaterial to operations, emphasizing containment and normal business continuity. Conti typically publishes stolen data only when victims refuse ransom negotiations, though TSYS declined to disclose whether any payment was made. Industry reports highlighted ransomware groups increasingly focusing on financial services, with Ryuk being the predominant threat.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early December 2020, payment processing firm TSYS (a subsidiary of Global Payments Inc. since 2019) suffered a ransomware attack attributed to the Conti cybercriminal group, which also operates under the name Ryuk. The attackers infiltrated systems supporting corporate back-office functions of TSYS's legacy merchant business unit, specifically identified as Cayan—an entity acquired by TSYS in 2018 that handled physical, mobile, and e-commerce payment enablement. On December 8, Conti published over 10 gigabytes of stolen data on its leak site, claiming this represented only 15% of the total exfiltrated information, and threatened further releases. TSYS detected the intrusion promptly, contained the suspicious activity, and maintained normal business operations throughout the incident. The company emphasized that its transaction processing systems operated on segregated infrastructure, remained uninterrupted, and contained no evidence of compromised payment card data despite Conti's assertions about prepaid card information being accessed.
TSYS characterized the incident as "immaterial to the company," confirming the ransomware's impact was confined to administrative functions rather than core payment processing environments. The organization did not disclose whether it negotiated with or paid ransom to the attackers. Security researchers noted Conti typically publishes stolen data only when victims refuse ransom demands, though the group historically bundled decryption keys and data deletion promises into single payments rather than adopting separate extortion tiers. The attack occurred amid broader industry trends highlighted by FS-ISAC, which identified ransomware—particularly Ryuk/Conti variants—as the predominant cyber threat to financial services, with at least eight financial institutions targeted in the four months preceding November 2020. TSYS's containment measures prevented operational disruption to card processing services, and no forensic evidence supported the threat actors' claims of accessing sensitive payment information.