Evertec is investigating a cybersecurity breach that exposed payment‑card data belonging to customers of several Puerto Rico financial institutions after an unauthorized party accessed information stored on a third‑party platform the company uses to monitor system performance.
In a statement, the company said it detected the intrusion on May 13 and immediately activated its incident‑response protocols, brought in external cybersecurity specialists, and notified law enforcement. Evertec’s internal systems remain secure, and its operations, as well as those of its client institutions, have continued without interruption.
The breach occurred in a system operated by an external service provider rather than in Evertec’s own infrastructure. The compromised environment contains data used to track Evertec’s service performance. According to the company, the unauthorized party obtained information belonging to certain financial institution clients and their customers. The data involved includes payment card numbers and, in some cases, names, expiration dates, dates of birth, phone numbers, and other contact information.
The press release notes there is no evidence that personal identification numbers (PINs) or CVV numbers were compromised.
Evertec said there is still no indication that the exposed information has been used for fraudulent activity. They also emphasized that consumers can continue using their cards because the security elements required to authorize transactions were not included in the compromised data set. Modern debit and credit cards rely on multiple layers of authentication, and Evertec said those safeguards remain intact.
The company is still determining the full scope of the incident. Based on preliminary information from financial institutions, Evertec believes only a limited number of cards will need to be replaced.
Evertec has been in direct communication with the unnamed financial institutions involved and is supporting them as they notify cardholders. Individuals whose card information was part of the incident will receive a mailed notice in the coming weeks.
The company will offer 24 months of complimentary credit‑monitoring services through Experian to those affected.
To address consumer concerns, Evertec has launched an information page and is preparing a dedicated call center to assist individuals with questions. The company is treating the matter with urgency and is reviewing both its own security posture and that of its third‑party providers as the investigation continues.
