STOCK TITAN
  1. Home
  2. Sec-filings
  3. BPOP
  4. [8-K] POPULAR, INC. Reports Material Event

Third-party cyber incident hits Popular (NASDAQ: BPOP) customer data

Filing Impact
(Moderate)
Filing Sentiment
(Neutral)
Form Type
8-K

Rhea-AI Filing Summary

Popular, Inc. reported that a third-party provider, Evertec, Inc., suffered a cybersecurity incident that exposed certain data from Banco Popular de Puerto Rico customers. Compromised information includes debit card numbers and other personal details.

Popular is working with Evertec, has enhanced fraud monitoring, and will notify affected customers. It states its own systems were not accessed and it has contractual rights to be covered by Evertec for related losses and customary costs. Based on information available, Popular does not believe the incident is reasonably likely to have a material impact on its operations, financial condition, or results.

Positive

  • None.

Negative

  • None.

Insights

Popular discloses third-party data breach, currently seen as non‑material.

Popular, Inc. reports that core processor Evertec experienced a cybersecurity incident compromising certain Banco Popular de Puerto Rico customer data, including debit card numbers and other personal information. Popular emphasizes that its own systems were not accessed.

The company has activated incident response protocols, strengthened fraud monitoring, informed regulators, and will notify affected customers. It also highlights contractual rights to coverage from Evertec for losses and related reasonable and customary costs, which may help offset remediation expenses.

Management currently states it does not believe the incident is reasonably likely to have a material impact on operations, financial condition, or results. However, it lists potential risks such as regulatory scrutiny, customer relationship effects, and uncertainties around Evertec’s ongoing analysis, indicating that ultimate impacts depend on findings and subsequent developments.

Item 8.01 Other Events Other
Voluntary disclosure of events the company deems important to shareholders but not covered by other items.
cybersecurity incident technical
"Evertec had experienced a cybersecurity incident affecting certain data of its clients"
A cybersecurity incident is an event where someone's computer systems or data are attacked or broken into without permission. It matters because it can lead to stolen information, financial loss, or disruptions in services, similar to a break-in at a store that damages property or steals valuable items.
personal information financial
"the affected data includes personal information of certain BPPR customers"
fraud monitoring financial
"has implemented enhanced fraud monitoring measures to further protect its customers"
Fraud monitoring is the ongoing process of detecting, preventing and investigating dishonest or illegal activity that could harm a company’s finances, reputation or customers. It combines routine checks, data analysis and alerts — like a security camera and alarm system for a company’s money and records — to spot unusual patterns early. Investors care because strong fraud monitoring reduces the chance of unexpected losses, fines and reputational damage that can erode a company’s value.
forward-looking statements regulatory
"contains “forward-looking statements” within the meaning of the U.S. Private Securities Litigation Reform Act of 1995"
Forward-looking statements are predictions or plans that companies share about what they expect to happen in the future, like estimating sales or profits. They matter because they help investors understand a company's outlook, but since they are based on guesses and assumptions, they can sometimes be wrong.
See more from StockTitan in Google Search and AI answers. Adds StockTitan as a preferred source · opens Google
Add on Google
Understanding 8-K Material Events →
false 0000763901 0000763901 2026-06-09 2026-06-09 0000763901 us-gaap:CommonStockMember 2026-06-09 2026-06-09 0000763901 us-gaap:CumulativePreferredStockMember 2026-06-09 2026-06-09
 
 

UNITED STATES

SECURITIES AND EXCHANGE COMMISSION

Washington, D.C. 20549

 

 

Form 8-K

 

 

CURRENT REPORT

Pursuant to Section 13 OR 15(d)

of the Securities Exchange Act of 1934

Date of Report (Date of earliest event reported): June 9, 2026

 

 

POPULAR, INC.

(Exact name of registrant as specified in its charter)

 

 

 

Puerto Rico   001-34084   66-0667416

(State or other jurisdiction of

incorporation or organization)

  

(Commission

File Number)

   (IRS Employer
Identification Number)

 

209 Muñoz Rivera Avenue

Hato Rey, Puerto Rico

   00918
(Address of principal executive offices)   (Zip code)

(787) 765-9800

(Registrant’s telephone number, including area code)

NOT APPLICABLE

(Former name, former address and former fiscal year, if changed since last report)

 

 

Check the appropriate box below if the Form 8-K filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions (see General Instruction A.2. below):

 

 

Written communication pursuant to Rule 425 under the Securities Act (17 CFR 230.425)

 

 

Soliciting material pursuant to Rule 14a-12 under the Exchange Act (17 CFR 240.14a-12)

 

 

Pre-commencement communication pursuant to Rule 14d-2(b) under the Exchange Act (17 CFR 240.14d-2(b))

 

 

Pre-commencement communication pursuant to Rule 13e-4(c) under the Exchange Act (17 CFR 240.13e-4(c))

Securities registered pursuant to Section 12(b) of the Act:

 

Title of each class

  

Trading
Symbol(s)

  

Name of each exchange
on which registered

Common Stock ($0.01 par value)   BPOP   The NASDAQ Stock Market
6.125% Cumulative Monthly Income Trust Preferred Securities   BPOPM   The NASDAQ Stock Market

Indicate by check mark whether the registrant is an emerging growth company as defined in Rule 405 of the Securities Act of 1933 (§230.405 of this chapter) or Rule 12b-2 of the Securities Exchange Act of 1934 (§240.12b-2 of this chapter).

Emerging growth company 

If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☐

 

 
 

Item 8.01.

Other Events.

On May 15, 2026, Popular, Inc. (the “Corporation”) was notified by Evertec, Inc. (“Evertec”), a third-party core financial transaction processing and information technology services provider of the Corporation, that Evertec had experienced a cybersecurity incident affecting certain data of its clients, including that of Banco Popular de Puerto Rico (“BPPR”), the Corporation’s Puerto Rico banking subsidiary. Subsequent to its initial notification, Evertec notified the Corporation that it had identified additional data from BPPR that had been compromised. Based on information gathered to date, the affected data includes personal information of certain BPPR customers, including debit card numbers and certain other information. The Corporation is assessing the situation closely with Evertec and has implemented enhanced fraud monitoring measures to further protect its customers. The Corporation has a contractual right to be covered by Evertec for losses resulting from, and reasonable and customary costs and expenses related to, the incident.

The Corporation promptly initiated its cybersecurity incident response protocols and has notified applicable regulators. Affected customers will be notified directly, as appropriate.

The Corporation’s systems were not accessed in or otherwise affected by this incident.

Based on the information currently available, the Corporation does not believe that the incident is reasonably likely to have a material impact on the Corporation’s operations, financial condition or results of operations.

Cautionary Note Regarding Forward-Looking Statements

This Current Report on Form 8-K contains “forward-looking statements” within the meaning of the U.S. Private Securities Litigation Reform Act of 1995, including statements regarding the Corporation’s current expectations regarding the cybersecurity incident and its impacts. These statements are based on management’s current expectations and, by their nature, involve risks and uncertainties. Potential factors, some of which are beyond the Corporation’s control, could cause actual results to differ materially from those expressed in, or implied by, such forward-looking statements. Risks and uncertainties include, without limitation, the results of Evertec’s analysis of the scope and details of the cybersecurity incident and the discovery of new or additional information; any potential adverse impact of the cybersecurity incident on the Corporation’s operations, financial condition or results of operations; diversion of management’s attention from operations of the Corporation to address the cybersecurity incident; potential adverse effects on relationships with customers and other third parties as a result of the cybersecurity incident; regulatory scrutiny of the cybersecurity incident; risks related to the availability of the cost and expense reimbursement and insurance coverage; and other risks described in Part I, Item 1A: Risk Factors included in the Corporation’s Annual Report on Form 10-K for the year ended December 31, 2025 and other reports on file with the Securities and Exchange Commission.

SIGNATURE

Pursuant to the requirements of the Securities Exchange Act of 1934, as amended, the registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.

 

       

POPULAR, INC.

(Registrant)

Date: June 9, 2026     By:  

/s/ José R. Coleman Tió

      José R. Coleman Tió
      Executive Vice President and Chief Legal Officer

Source: View Original Filing on SEC EDGAR

FAQ

Filing Exhibits & Attachments

4 documents

Other Documents