Evolve Bank & Trust, a prominent US banking-as-a-service company, has recently confirmed that a cyber-attack earlier in 2024 compromised the personal data of millions of customers.
In a statement filed with Maine's attorney general on July 8, Evolve confirmed that the breach affected at least 7.6m individuals, including over 20,000 customers in Maine. This disclosure marks an ongoing fallout as the full extent of the breach continues to unfold.
The statement did not specify the data types compromised, but the bank previously confirmed that names, Social Security numbers, bank account details and contact information of personal banking customers were accessed.
Additionally, employee data and information from Evolve's financial technology partners were affected.
Among these partners, Affirm acknowledged that some customer data might have been compromised, while Mercury noted that account numbers, deposit balances, business owner names and emails were impacted. Money transfer service Wise also confirmed the potential involvement of their customers' personal information.
LockBit Ransomware Attack
The extent of compromised data remains uncertain as Evolve continues its investigation. The breach stems from a February ransomware attack by the Russia-linked LockBit gang.
Read more on LockBit: LockBit Leader aka LockBitSupp Identity Revealed
Despite a multi-government operation disrupting the group earlier this year, its administrator is still at large. Evolve reportedly detected the intrusion in May, discovering that hackers had infiltrated its systems. The bank did not meet the ransom demand, prompting LockBit to publish the stolen data on its dark web leak site.
In a recent letter to affected customers, Evolve detailed that the attackers accessed and downloaded data from its databases and file shares during February and May 2024.
Evolve has also offered affected customers a 24-month complimentary membership to TransUnion's credit monitoring and identity theft protection services through Cyberscout. This measure is part of an effort to mitigate potential fraud and identity theft risks.
"It's very important to make sure that organizations are thinking about potential risks within their supply chains that could impact them directly and making plans to cope with potential incidents," said Erich Kron, security awareness advocate at KnowBe4, commenting on the news.
"To ensure that they are not a risk to their customers, organizations should ensure that they have strong security awareness programs to protect users from social engineering attacks, and robust data leakage prevention controls to minimize the risk of data being exfiltrated."