Evolve Bank says cybercriminals accessed personal data of millions of customers

 

According to an announcement, Evolve confirmed that the personal data of at least 7.6 million people was accessed during the incident, the fallout from which continues to grow.

Evolve Bank did not specify the types of data compromised in its filing, but previously stated on its website that attackers accessed names, social security numbers, bank account numbers, and contact information of its personal banking customers, as well as the personal data of Evolve employees and information from its financial technology partners.

Among these partners, Affirm confirmed that the Evolve breach may have compromised some data and personal information of its customers. Another partner, fintech startup Mercury, revealed on X that the breach impacted some account numbers, deposit balances, business owner names, and emails.

Money transfer organisation Wise also confirmed last week that some Wise customers’ personal information may have been involved.

More on the cyberattack

Evolve confirmed that the breach resulted from a ransomware attack by the Russia-linked LockBit gang. The bank detected the intrusion in May, discovering that hackers had accessed its systems. Evolve did not pay the ransom demand, leading LockBit to publish the compromised data on its revived dark web leak site.

In the letter sent to affected customers, Evolve said that the hackers accessed and downloaded customer information from Evolve’s databases and a file share during periods in February and May 2024.