Evolve Bank & Trust was the victim of a data breach by the infamous Russian ransomware group LockBit, the financial institution confirmed on Wednesday, June 26.
According to a cybersecurity incident notice the bank published on its website, the cyber intrusion impacted retail customers and financial technology partners.
“Evolve is currently investigating a cybersecurity incident involving a known cybercriminal organization that appears to have illegally obtained and released on the dark web the data and personal information of some Evolve retail bank customers and financial technology partners’ customers (end users),” the bank posted online.
Details of the Evolve cyber incident emerged after LockBit claimed on June 23, 2024, that it had breached the Federal Reserve and published 33 terabytes of data.
Evolve confirms the LockBit data breach leaked personal information
The Memphis, Tennessee-based financial institution has confirmed that threat actors stole and released company data containing personal information.
“It appears these bad actors have released illegally obtained data, including Personal Identification Information (PII), on the dark web,” the bank said.
Evolve is working to authenticate the nature of the information stolen, which varies by individual. However, the bank believes the stolen data includes the victim’s name, Social Security Number, date of birth, account information, and other personal data.
Nevertheless, the data breach did not impact Evolve retail banking customers’ debit cards, online, and digital banking credentials.
Evolve has engaged law enforcement and leading cyber forensic experts and believes the incident was “contained and there is no ongoing threat.” Victims will also receive complimentary credit monitoring to prevent identity theft and fraud.
Additionally, Evolve advised customers and financial technology partners to remain vigilant and report any suspicious activity. The bank also continues to monitor the situation and will provide more details later.
The Evolve data breach surfaced barely two weeks after the U.S. Federal Reserve directed the bank “to bolster its risk management programs around fintech partnerships as well as anti-money laundering laws.”
The Feds warned that Evolve had engaged in “unsafe and unsound banking practices” with financial technology companies. The bank was adversely mentioned in the collapse of Synapse, a banking-as-a-service (BaaS) startup that allowed fintech companies to integrate banking services into their products.
Evolve Bank’s fintech partners confirm data breach
Evolve fintech partners include Affirm, Airwallex, Alloy, Bond, Branch, Dave, EarnIn, Marqeta, Mastercard, Melio, Mercury, PrizePool, Step, Stripe, TabaPay, and Visa.
So far, several financial technology companies have confirmed that the Evolve data breach impacted their customers’ personal information.
Mercury, a financial technology company partnering with over 200,000 startups, said the Evolve data breach leaked its clients’ “records, including some account numbers, deposit balances, business owner names, and emails associated with Mercury and other fintech accounts.”
Similarly, Affirm, a “buy now, pay later” service provider, warned its cardholders that it learned of a cybersecurity incident that “compromised some data and personal information” stored by Evolve Bank and Trust.
However, the San Francisco, California-based fintech company assured its customers that Affirm Card and Affirm Money accounts were still operational and safe to use.
While Affirm did not disclose the number of victims impacted by the Evolve data breach, the consumer lending solutions provider has over 18 million customers, suggesting that the incident could be significant.
Other fintech companies, EarnIn, Melio, and Marqeta, have also confirmed being aware of the Evolve data breach and have notified their customers or are assessing the impact.