‘TSYS’ Downplays Ransomware Incident but Data Is Already Leaking

Last updated June 23, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

‘TSYS’ (Total System Services) suffered a ransomware attack a couple of days ago, but the company maintains that it’s really nothing to worry about. As they stated, the suspicious activity was immediately identified and contained, and it only momentarily affected certain corporate back-office functions of a legacy merchant business. Thus, all operations continue to function normally, and there have been no serious occurrences - such as stealing data from the company’s systems, for example.

However, “Conti,” who appears to be the culprit gang, has already leaked 10GB of data that they claim to derive from the attack on TSYS’s corporate network, and this is allegedly only 15% of the information they hold. Conti is only focusing on attacks accompanied by data-stealing action, and they generally don’t publish anything so soon unless the victim refuses to even negotiate with them. So, the chances of this being a bluff from the crooks’ side are minimal, although the leaked data hasn’t been confirmed as valid yet.

TSYS is the world’s third-largest payment processing service provider, belonging to ‘Global Payments,’ an American financial tech service provider. A breach oν TSYS’s systems is a severe incident as it could mean the exposure of very sensitive data. Conti claims to have prepaid card data, but TSYS denies that. The firm says that hit is ‘Cayan,’ whom they acquired for $1.05 billion in 2018. Soon after ‘Global Payments’ bought TSYS in September 2019, Cayan was partially deprecated, and this is why it’s characterized as a legacy now.

Conti may hold data that is less valuable than they think it is, but TSYS may also be playing a game of downplaying the situation. We really have no way to tell until Conti publishes more data if they ever do that anyway.

Krebs on Security has reached out to TSYS asking for a comment on all of the above, and here’s what the researcher got back in response:

Transaction processing is conducted on separate systems, has continued without interruption, and no card data was impacted. We regret any inconvenience this issue may have caused. This matter is immaterial to the company.

The above statement leaves no margins for misinterpretation or assumptions to the seriousness of the security incident. Hopefully for the clients of the firm, this is really the case here.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: