Affirm fears customer info pilfered during ransomware raid at Evolve Bank

Number of partners acknowledging data theft continues to rise

The number of financial institutions caught up in the ransomware attack on Evolve Bank & Trust continues to rise as fintech businesses Wise and Affirm both confirm they have been materially affected.

News of Evolve being compromised by extortionists broke last week. The Banking-as-a-Service provider officially disclosed it fell victim in late May to the LockBit crew – which steals and holds organizations' information to ransom – and reports of follow-on data privacy compromises at Evolve's partners have emerged over the past few days.

Buy-now-pay-later biz Affirm told the US Securities and Exchange Commission (SEC) on Monday that it believes personal data of Affirm Card holders was potentially stolen during LockBit's cyber-attack on Evolve.

Evolve is the third-party issuer of the Affirm Card, the latter's buy-now-pay-later debit card, and that's how Affirm was pulled into the debacle. It insists that its own systems have not been compromised.

"This incident has not impacted any other part of the company's business or operations," Affirm said in the regulatory filing.

"Upon being notified of the Evolve cybersecurity incident, the company immediately began an investigation independent of Evolve's investigation to determine whether any Affirm Card user personal information had been compromised, and that investigation, along with remediation efforts, is ongoing as of the date of this [filing]. 

"Evolve has communicated to the company that this cybersecurity incident has been contained. However, the full scope, nature, and impact of the incident on the company and Affirm Card users, including the extent to which there has been unauthorized access to Affirm Card user personal information, are not yet known."

The SEC filing follows a xeet from Affirm on June 27, informing followers that it was made aware of the Evolve incident two days prior and that it understood data "may" be compromised, but was merely investigating at that point.

The scale of the security breach, in terms of exactly how many individuals may have had their data stolen, hasn't yet been confirmed. However, the number of affected users is rising with each day a new Evolve partner discloses a breach.

Money transfer specialist Wise, which stopped working with Evolve last year, disclosed last week that some of its users may have been affected and will be notified directly in writing.

"Evolve Bank & Trust is a regulated bank that we worked with from 2020 until 2023 to provide USD account details," Wise's disclosure reads. "They've recently been affected by a data breach and some Wise customers' personal information may have been involved. We'll be emailing all Wise customers who we think may have been affected by this data breach directly. 

"For Evolve Bank & Trust to provide USD account details to Wise customers, they were required to hold identifying information. The information that we shared with Evolve Bank & Trust to provide USD account details included name, address, date of birth, contact details, SSN or EIN for US customers, or another identity document number for non-US customers. Evolve has not yet confirmed to us what data has been impacted."

As of June 28, when Wise's disclosure was last updated, Evolve may not have told the fintech company what data was affected but its updated breach notification confirms SSNs, bank account numbers, and contact information "for most" of its personal banking customers and the customers of its banking partners. Employee data is also thought to be affected.

Investigations continue to determine whether Evolve's Business, Trust, and Mortgage arms are also affected.

As for its other partners, a full list can be found on Evolve's website. Only one other has publicly acknowledged the incident.

Mercury, which does banking for startups, suggested in a xeet that at least some of its customers were affected and have been notified directly.

"We are thoroughly investigating the leaked data to understand what customer information is at risk," it said. "Additionally, Mercury account credentials – including your password – were not exposed (we do not share this information)."

All of the partners listed by Evolve have been contacted by El Reg.

A spokesperson for Melio told us: "We are aware of the Evolve Bank & Trust security breach and are diligently working with them to determine if Melio or any of our customers were impacted by it. We will keep our customers informed with any relevant information as we learn more. There have been no disruptions to Melio's operations as a result of this incident."

Imperfect storm

The disclosure of the breach couldn't have come at a worse time for Evolve, which less than a fortnight prior had to field questions following the US Federal Reserve Board and the Arkansas State Bank Department formally calling out various deficiencies.

Ransomware attacks hospitalizing security pros, as one admits suicidal feelings

READ MORE

These related to its handling of anti-money laundering practices, risk management, and consumer compliance programs. Its partnerships with other fintech companies were designated "unsafe," with the board ordering it to improve in all these areas.

"Evolve partners with various financial technology companies that, in turn, provide access to banking products and services to their end customers," said the board. "Examinations conducted in 2023 found that Evolve engaged in unsafe and unsound banking practices by failing to have in place an effective risk management framework for those partnerships. 

"In addition, Evolve did not maintain an effective risk management program or controls sufficient to comply with anti-money laundering laws and laws protecting consumers."

Providing all the timelines supplied by the organizations in question are correct, the Federal Reserve's warning came roughly two weeks after LockBit broke into Evolve's systems. ®

More about

TIP US OFF

Send us news


Other stories you might like