Nayax (Bank-of-Lithuania-licensed EEA payment institution) discloses a cloud-account incident; "The Syndicate" claims 1B card records — claim unverified and contradicted by the filing
Nayax Ltd. — an Israeli-headquartered fintech (Nasdaq/Tel Aviv-listed) providing cashless payment terminals and management platforms, and, through Nayax Europe UAB, a Bank-of-Lithuania-licensed payment institution serving more than 23 million enterprises across the EEA (Nayax, 2018-07-17) — filed a Form 6-K with the SEC on 2026-07-08 disclosing that it detected "unusual activity" in a cloud account belonging to one of its subsidiaries, which it "immediately blocked and contained" (Nayax SEC Form 6-K, 2026-07-08). Nayax states its production environment and core payment-processing systems were unaffected and business operations continue normally, with the scope still under investigation alongside Israeli and US law enforcement (DataBreaches.net, 2026-07-08).
Separately, an extortion group calling itself "The Syndicate" posted leak-site claims — surfaced by DataBreaches.net on 2026-07-08 — asserting it acquired more than 1 billion card records, had been inside Nayax's infrastructure for "almost a year", and exfiltrated over 100 TB, with a threatened ~11-day countdown to a public data portal. No evidence has been published for any of these figures, and DataBreaches.net notes the claims are internally inconsistent with Nayax's "immediately blocked and contained" characterisation — a familiar extortion pattern of inflating scope for leverage. Nayax's stock reportedly fell after the claims surfaced, but the company has not confirmed the attacker's figures (Calcalistech, 2026-07-08). The filing does not disclose the initial-access vector, the cloud provider, or which subsidiary was involved — a material gap for deriving any concrete detection lever from the disclosure alone.
As part of the company's ongoing monitoring, an unusual activity was detected in relation to one of Nayax's subsidiaries, in one of the company's cloud accounts, which was immediately blocked and contained.
The company's production environment and its core systems have not been affected by the event. The company's business activity continues as normal, without impact to the company's business operations.
One claim is that they have acquired over 1 billion card records. Another claim is that they have been inside Nayax's servers for almost a year, and have exfiltrated more than 100 TB of data. That claim appears to conflict with a claim that something was immediately blocked and contained or that it was detected quickly.
Defender actions
- If you operate or integrate with Nayax terminals/APIs, watch for a material update to the 6-K (initial-access vector, affected cloud provider, and subsidiary are all undisclosed) before drawing conclusions about card-data exposure.
- Audit subsidiary and third-party cloud accounts with access to card-processing data pipelines for anomalous authentication and bulk-export activity (cloud IAM sign-in review, DLP egress alerting on payment-data stores).
Sources
Entities & scope
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.