EVERTEC discloses R$710M Pix breach via vendor credentials; impact unclear

Rhea-AI Filing Summary

EVERTEC disclosed a cybersecurity incident affecting Sinqia's Pix transaction environment in Brazil that processed approximately R$710 million in unauthorized Business-to-Business transactions on August 29, 2025. The company says a portion of the amount has been recovered and additional recovery efforts are ongoing. Preliminary forensics indicate the transactions were introduced using legitimate credentials of Sinqia IT vendors, and those credentials have been terminated.

The issue appears limited to Sinqia's Pix environment; no unauthorized activity has been identified in other Sinqia systems and there is no indication of personal data compromise. Sinqia provided analyses to BCB and the two impacted customers. EVERTEC cautions the financial and reputational impact, potential liability, insurance applicability, and effect on internal controls are not yet determined and could be material.

Positive

• Containment actions taken: Sinqia terminated the compromised vendor credentials.
• Partial recovery reported: The company states a portion of the R$710 million has been recovered.
• Scope appears limited: No unauthorized activity identified outside the Pix environment and no indication of personal data compromise.

Negative

• Significant unauthorized volume: Approximately R$710 million in unauthorized transactions were processed.
• Material uncertainty: Financial, reputational, and internal control impacts are unknown and could be material.
• Liability and insurance unclear: The company has not determined potential liability, applicable insurance coverage, or third-party claims.
• Operational disruption risk: Approval to resume SPB and Pix processing is pending, potentially affecting service continuity for 24 customers.

Insights

Cybersecurity Risk Analyst

TL;DR: Vendor credential compromise led to ~R$710M unauthorized Pix transactions; containment steps taken, but impact and liabilities remain uncertain.

Preliminary forensics point to misuse of legitimate vendor credentials rather than a direct breach of core Sinqia systems outside Pix. Terminating those credentials is an appropriate immediate containment action. Important unanswered items include the completeness of transaction recovery, evidence of lateral movement, timelines for restoring SPB and Pix processing, and whether longer-term controls around third-party access will be strengthened. For customers and partners, the incident raises questions about vendor governance and real-time monitoring of Pix transactions.

Financial Analyst

TL;DR: R$710M of unauthorized transactions may have material financial and reputational effects; recovery and insurance coverage are key.

The company reports that part of the R$710 million has been recovered and recovery efforts continue, but it has not quantified net financial exposure or clarified insurance applicability. The Pix environment serves 24 financial-institution customers, so disruption could affect revenue recognition, customer retention, and potential claims. Until the company discloses amounts recovered, any liabilities, or impacts to internal controls, the financial effect remains indeterminate.

0001559865false00015598652025-08-292025-08-29

UNITED STATES

SECURITIES AND EXCHANGE COMMISSION

Washington, DC 20549 

FORM 8-K

CURRENT REPORT

PURSUANT TO SECTION 13 OR 15(d)

OF THE SECURITIES EXCHANGE ACT OF 1934

Date of report (Date of earliest event reported): August 29, 2025

 EVERTEC, Inc.

(EXACT NAME OF REGISTRANT AS SPECIFIED IN ITS CHARTER)

Puerto Rico									66-0783622
(State or other jurisdiction of incorporation or organization)									(I.R.S. employer identification number)
Cupey Center Building,			Road 176, Kilometer 1.3,
San Juan,			Puerto Rico						00926
(Address of principal executive offices)									(Zip Code)

(787) 759-9999

(Registrant’s telephone number, including area code)

Not applicable

(Former name, former address and former fiscal year, if changed since last report)

COMMISSION FILE NUMBER 001-35872

Check the appropriate box below if the Form 8-K filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions:

☐ Written communications pursuant to Rule 425 under the Securities Act (17 CFR 230.425)

☐ Soliciting material pursuant to Rule 14a-12 under the Exchange Act (17 CFR 240.14a-12)

☐ Pre-commencement communications pursuant to Rule 14d-2(b) under the Exchange Act (17 CFR 240.14d-2(b))

☐ Pre-commencement communications pursuant to Rule 13e-4(c) under the Exchange Act (17 CFR 240.13e-4(c))

Securities registered pursuant to Section 12(b) of the Act:

Title of Class			Trading Symbol(s)			Name of each exchange on which registered
Common Stock, $0.01 par value per share			EVTC			New York Stock Exchange

Indicate by check mark whether the registrant is an emerging growth company as defined in as defined in Rule 405 of the Securities Act of 1933 (§230.405 of this chapter) or Rule 12b-2 of the Securities Exchange Act of 1934 (§240.12b-2 of this chapter).

Emerging growth company ☐

If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act. ☐

Item 8.01 Other Events

On August 29, 2025, Sinqia S.A. (“Sinqia”), a Brazilian subsidiary of EVERTEC, Inc. (“Evertec” or the “Company”), identified unauthorized activity in its environment of the Brazilian Central Bank (“BCB”) real-time payment system known as Pix. Upon detecting the incident, and in accordance with its incident response protocol, Sinqia halted transaction processing in its Pix environment and began working with outside cybersecurity forensics experts. Subsequently, the BCB informed Sinqia that it would not be permitted to resume processing transactions in the Brazilian Payments System (“SPB”) and Pix until the BCB reviews and approves the actions taken. Sinqia communicated promptly with federal and state law enforcement authorities in Brazil and the financial institution customers using its Pix environment.

This matter affects a single application in Brazil, and no other Evertec products or services are impacted. The unauthorized activity is related to Business-to-Business financial transactions involving two financial institutions that are customers of Sinqia’s Pix transaction processing services. The Company believes that approximately R$710 million in unauthorized transactions affecting those two Sinqia customers were processed through Sinqia’s Pix environment on August 29, 2025. The Company has been informed that a portion of that amount has been recovered and additional recovery efforts are ongoing.

Preliminary results of the Company’s forensics analysis indicate that the unauthorized transactions were introduced into Sinqia’s Pix environment by exploiting legitimate Sinqia IT vendors’ credentials. Sinqia has terminated access to these credentials.

The Company believes the incident is limited to Sinqia’s Pix environment and has not identified any unauthorized activity in any other Sinqia systems outside of Pix in Brazil. The Company also has no indication that any personal data has been compromised.

Sinqia provided BCB and the two impacted customers with third-party forensics analyses and information requested by BCB. The Company is working diligently to obtain approval to resume processing transactions in SPB and Pix.

While Sinqia’s Pix environment is used by 24 financial institution customers, the financial and reputational impact of the incident, including any impact on the Company’s internal controls, are not yet known and could be material. The Company has not yet determined the scope of any liability associated with this matter, the applicability of any insurance coverage or what claims the Company may have against third parties.

Cautionary Note Regarding Forward-Looking Statements

Certain statements in this Current Report on Form 8-K constitute “forward-looking statements” within the meaning of, and subject to the protection of, the Private Securities Litigation Reform Act of 1995. We intend such forward-looking statements to be covered by the safe harbor provisions for forward-looking statements contained in Section 27A of the Securities Act and Section 21E of the Exchange Act. All statements contained in this Current Report on Form 8-K other than statements of historical facts, including, without limitation, statements relating to the Company’s current beliefs, understanding and expectations regarding the cybersecurity incident discussed in this Form 8-K and its scope, nature and impact on the Company’s business, operations and financial results are forward-looking statements. Words such as “believes,” “expects,” “anticipates,” “intends,” “projects,” “estimates,” and “plans” and similar expressions of future or conditional verbs such as “will,” “should,” “would,” “may,” and “could” are forward-looking in nature and not historical facts. Factors that could cause actual results to differ from those expressed in these forward-looking statements include, but are not limited to, the outcome of the Company’s ongoing assessment of the incident and its ability to address the impact of this incident; legal, regulatory, reputational and financial risks resulting from this incident or additional incidents; and other important factors set forth under “Part 1, Item 1A. Risk Factors,” in the Company’s Annual Report on Form 10-K for the fiscal year ended December 31, 2024, filed with the Securities and Exchange Commission (the “SEC”) on March 3, 2025, as any such factors may be updated from time to time in the Company’s subsequent filings with the SEC. Unless required by law, the Company expressly disclaims any obligation to update publicly any forward-looking statements, whether as result of new information, future events or otherwise.

SIGNATURES

Pursuant to the requirements of the Exchange Act, the Registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.

			EVERTEC, Inc.
			(Registrant)
Date: September 2, 2025			By:			/s/ Joaquín A. Castrillo-Salgado
						Joaquín A. Castrillo-Salgado
						Chief Financial Officer

FAQ

What happened in EVERTEC's reported cybersecurity incident (EVTC)?

EVERTEC reported unauthorized Business-to-Business transactions totaling approximately R$710 million were processed through Sinqia's Pix environment on August 29, 2025.

Has any customer or personal data been compromised in the EVTC incident?

According to the company, there is no indication that any personal data has been compromised.

Has any of the R$710 million been recovered?

The company states that a portion of that amount has been recovered and that additional recovery efforts are ongoing.

Was the attack due to a breach of Sinqia systems or vendor credential misuse?

Preliminary forensics indicate the unauthorized transactions were introduced by exploiting legitimate Sinqia IT vendors' credentials, which have been terminated.

How many customers use the affected Pix environment?

Sinqia's Pix environment is used by 24 financial institution customers.

Has EVERTEC determined the financial or regulatory impact?

The company has not yet determined the scope of any liability, the applicability of insurance coverage, or the full financial and reputational impact; it states these could be material.