In a massive security breach, Evolve Bank & Trust has confirmed that a ransomware attack has led to the leakage of personal data of over 7.6 million customers. According to the bank, the attackers managed to infiltrate its systems in February 2024 and remained undetected until the end of May, when the bank discovered that certain systems were malfunctioning.
Initially, the bank suspected the issue was due to defective hardware, but it soon became evident that a cyber attack was the cause. The attackers accessed and stole sensitive information, including names, social security numbers, bank account numbers, and contact details. In addition to customer data, information from employees and customers of the bank’s Open Banking partners was also compromised.
In a notification to the Maine Attorney General, Evolve Bank disclosed that the breach affected 7,640,112 individuals. This incident is one of the most significant data breaches recorded in the finance industry.
The attack and its aftermath
The attack has been attributed to the LockBit ransomware group, known for encrypting victims’ data and demanding a ransom for its release. However, Evolve Bank has stated that it did not pay any ransom. Consequently, the stolen data has been leaked online. LockBit erroneously claimed the data belonged to the U.S. Federal Reserve, which added to the initial confusion.
An employee’s inadvertent click on a malicious link allowed the attackers to gain unauthorized access to Evolve’s databases and file shares. “On May 29, 2024, Evolve identified that some of its systems were not working properly,” reads the notification sent to affected individuals. “While it initially appeared to be a hardware failure, we subsequently learned it was unauthorized activity.”
Following the discovery of the breach, Evolve promptly activated its incident response protocols, halted the attack, and launched an investigation with the help of a cybersecurity firm. The bank assures that no new unauthorized activity has been detected since May 31, 2024. It also emphasizes that there is no evidence of customer funds being accessed during the breach.
Impact on fintech partners
Several of Evolve’s fintech partners, including Wise and Affirm, have reported being affected by the breach. Wise, an international money transfer service, severed ties with Evolve last year but still suffered from the data exposure. Affirm, a buy-now-pay-later company, confirmed material impact on its customers. Evolve maintains active partnerships with companies such as Shopify, Stripe, and Mercury. However, these partners have not yet revealed if they were affected by the ransomware attack.
Evolve has notified the affected individuals and offers two years of credit monitoring and identity protection services for U.S. residents, with dark web monitoring services available for international residents. The notification letters sent out on July 8, 2024, provide detailed instructions for enrolling in these services, with the enrollment deadline set for October 31, 2024.
Security measures and regulatory scrutiny
Evolve Bank claims to have had significant cybersecurity measures during the attack. In the wake of the incident, the bank strengthened its security protocols. Measures include resetting passwords globally, reconstructing critical identity access management components, hardening firewalls, and deploying advanced endpoint detection and response tools.
The breach occurs amid regulatory scrutiny. On June 14, 2024, the U.S. Federal Reserve Board issued an enforcement action against Evolve for deficiencies in anti-money laundering, risk management, and consumer compliance programs, labeling some of its practices as “unsafe and unsound.”
