Why Did Nayax Refuse To Pay?
Israeli payments company Nayax has refused to pay a ransom demanded by hackers who stole transaction records, scanned documents and other business information from a cloud account linked to one of its subsidiaries.
The Nasdaq- and Tel Aviv-listed company confirmed on July 14 that data had been exfiltrated during the incident, six days after it first disclosed suspicious activity in the cloud environment. Nayax said its board decided not to comply with the attackers’ extortion demands because paying would not serve the long-term interests of its customers, partners, employees or shareholders.
Nayax first reported the incident on July 8 after detecting anomalous activity in a cloud computing account associated with a subsidiary. The account was blocked after the activity was identified, but the company has not disclosed when the intrusion began, how the attackers obtained access or how long they remained inside the account.
What Data Was Stolen?
Nayax said its investigation found that the hackers copied a backup containing scanned documents, other business-related information and payment transaction records.
The company said the transaction records did not include cardholder names, CVV security codes or identification information because those details are generally not retained in its systems. It has not yet disclosed the number of transactions contained in the backup, the dates covered by the records or the number of merchants and consumers potentially affected.
A significant share of the affected transactions involved digital wallets such as Apple Pay and Google Pay, according to Nayax. Those payments use tokenized credentials rather than reusable card details, reducing the value of the exposed information if it is published or traded.
Still, the company acknowledged that its review of the precise scope and full contents of the stolen data remains ongoing. That leaves open the possibility of additional findings as forensic work continues.
Investor Takeaway
The breach currently appears limited to copied backup data rather than active payment-processing systems. The main investor risk is not operational disruption, but the potential financial, legal and reputational impact if the stolen material is broader or more sensitive than currently known.
Why Does The Payment Infrastructure Matter?
Nayax said customer safeguarded funds remained untouched and that the attackers did not obtain unauthorized access to customer accounts. Its production environment, core systems and payment-processing infrastructure were not affected, and operations continued without disruption.
That distinction matters because Nayax sits inside the payment chain for vending machines, self-service kiosks, electric-vehicle chargers and other unattended retail equipment. A compromise of active processing infrastructure would carry a different level of operational risk from the theft of stored backup data.
Founded in 2005, Nayax provides payment acceptance, merchant management and loyalty technology to operators of unattended and traditional retail businesses. As of March 31, the company had 13 offices, about 1,250 employees and connections to more than 80 merchant acquirers and payment methods.
The company processes payments on behalf of merchants, which is why consumers may see Nayax listed on card statements after purchases from vending machines or other self-service terminals. That visibility can increase reputational sensitivity even when the affected data does not include full card credentials.
What Are The Financial And Regulatory Risks?
The breach comes during a period of rapid growth and cost restructuring at Nayax. The company reported approximately $400 million in revenue for 2025, up about 24%, and net profit of $35.5 million after recording a loss in the previous year. It has projected 2026 revenue of between $510 million and $520 million.
Nayax has also been cutting staff. Shortly before the cyber incident, the company reportedly laid off 32 employees, equal to about 3% of its workforce, including 20 positions in Israel. That followed an earlier round of reductions and came despite continued revenue growth.
The cyberattack has already generated expenses for forensic investigation, remediation, system reviews and incident response. Nayax said additional costs could follow, while insurance or indemnification arrangements may offset part of the bill.
The company has not yet quantified those costs or disclosed whether it expects regulatory investigations, consumer notifications or litigation in any jurisdiction. It also said the effect on customer behavior remains unknown.
Investor Takeaway
Nayax does not currently expect the incident to have a material effect on its financial condition or operating results. That assessment depends on the final scope of the stolen data, the hackers’ next move and how regulators, merchants and consumers respond.
What Comes Next?
The incident highlights the gap between Nayax’s initial disclosure and the more complete findings released several days later. On July 8, the company said it did not believe material information had been exposed and noted that hackers sometimes exaggerate claims to pressure victims. By July 14, Nayax had confirmed that backups containing transaction records and scanned documents had been removed from the subsidiary’s cloud account.
Nayax is now betting that refusing payment, containing the intrusion and limiting the value of the stolen payment data will be less damaging than complying with the hackers’ demands. The remaining risk is no longer whether data was taken, but what else is inside the stolen backups and whether the attackers follow through on their threat to publish it.




