- Evolve Bank & Trust allegedly hit by a ransomware attack and data breach by hacker group LockBit.
- LockBit claims to have released 33 terabytes of data, including sensitive personal information.
- The bank is investigating the breach in conjunction with law enforcement and government agencies.
Evolve Bank & Trust has reportedly fallen victim to a ransomware attack and subsequent data breach orchestrated by the hacker group LockBit. The attack has raised significant concerns about the security of sensitive financial data.
According to reporting by Jason Mikula at Fintech Business Weekly, the leak involves plain text files that that contain: PII of account holders, including name, address, email, phone, unencrypted SSN/TIN, DOB, fintech platform, account info, status, type, balance, last activity, opened date, account number, daily limits.
Evolve was already dealing with the fallout from the Synapse banking-as-a-service debacle, which has left thousands of Fintech customers from apps like Yotta with their money frozen at Evolve.
Bank’s Response And Investigation
As reports of the breach surfaced on June 25, Evolve Bank & Trust sent an email to clients of its Open Banking Division acknowledging the situation. The email stated that the bank is working with law enforcement and government agencies to investigate the breach.Â
An Evolve Spokesperson told The College Investor on June 26:
Evolve is currently investigating a cybersecurity incident involving a known cybercriminal organization. It appears these bad actors have released illegally obtained data, on the dark web. We take this matter extremely seriously and are working tirelessly to address the situation. Evolve has engaged the appropriate law enforcement authorities to aid in our investigation and response efforts. This incident has been contained, and there is no ongoing threat.
In response to this event, we will offer all impacted customers (end users) complimentary credit monitoring with identity theft protection services. Those affected will be contacted directly with instructions on how to enroll in these protective measures. Additionally, impacted customers will receive new account numbers if warranted.
Updates and further information will be posted on our website as they become available.
Regulatory Scrutiny
The incident comes at a particularly challenging time for Evolve Bank, which recently received an enforcement action from its primary regulator, the Federal Reserve Board.Â
The enforcement action cited deficiencies in the bank’s information technology practices and mandated the development of a plan to correct these issues. This regulatory pressure underscores the critical need for robust cybersecurity procedures.
Evolve Bank is well-known in the FinTech community for its partnerships with numerous high-profile companies, including Mercury, Stripe, Affirm, Alloy, Branch, Dave, EarnIn, Prizepool, Step and TabaPay. The breach raises concerns about the potential impact on these fintech partners and their customers, especially in light of the Federal Reserve’s actions around how Evolve can interact with it’s FinTech partners.
Looking Ahead
The breach at Evolve Bank & Trust remains a developing story.
The impact will have significant implications for the bank, its clients, and the broader FinTech community.
For consumers, it’s once again important to understand if you’re banking at a “banking-as-a-service” company or are you directly banking at an FDIC-insured depository institution (or NCUA covered institution if you use a credit union). Your protection levels may vary depending on what services you utilize.Â
Don’t Miss These Other Stories: