Evertec Reports Unauthorized Activity in Pix System According to Sinqia SEC Filing

Evertec Inc. reported unauthorized activity in its Pix System in a SEC filing. The company is a transaction processing company offering merchant acquiring, payment processing, and business process management services. Evertec operates through three segments: Merchant Acquiring, Payment Processing, and Business Solutions. Its ATH network is a PIN debit network in Latin America, serving financial institutions, merchants, corporations, and government agencies.

Evertec Inc., a prominent transaction processing company, has reported unauthorized activity in its Pix System in a recent SEC filing. The company, which offers merchant acquiring, payment processing, and business process management services, operates through three primary segments: Merchant Acquiring, Payment Processing, and Business Solutions. Its ATH network is a PIN debit network in Latin America, serving financial institutions, merchants, corporations, and government agencies.

On August 29, 2025, Evertec disclosed that its Pix transaction environment in Brazil processed approximately R$710 million in unauthorized Business-to-Business (B2B) transactions. The company stated that a portion of the amount has been recovered, and additional recovery efforts are ongoing. Preliminary forensic analysis indicates that the transactions were introduced using legitimate credentials of Sinqia IT vendors, which have since been terminated. The issue appears to be limited to Sinqia's Pix environment, with no unauthorized activity identified in other Sinqia systems and no indication of personal data compromise [1].

Evertec cautions that the financial and reputational impact, potential liability, insurance applicability, and effect on internal controls are not yet determined and could be material. The company has provided analyses to the Central Bank of Brazil (BCB) and the two impacted customers. The incident raises significant concerns about vendor governance and real-time monitoring of Pix transactions [1].

The unauthorized transactions, totaling approximately R$710 million, pose a substantial risk to Evertec's financial health and reputation. While the company has taken containment actions, such as terminating compromised vendor credentials, the full extent of the impact remains uncertain. The financial and reputational effects, potential liability, insurance coverage, and operational disruption risk are all areas of concern. The company's Pix environment serves 24 financial-institution customers, and any disruption to service could affect revenue recognition, customer retention, and potential claims [1].

Until Evertec discloses the amounts recovered, any liabilities, or impacts to internal controls, the financial effect remains indeterminate. The incident serves as a reminder of the critical importance of robust cybersecurity measures and the potential consequences of vendor credential compromise. Investors and financial professionals should closely monitor the situation and assess the potential long-term implications for Evertec's operations and financial performance.

References:
[1] https://www.stocktitan.net/sec-filings/EVTC/8-k-evertec-inc-reports-material-event-2e13e8f89cb8.html