A data breach at Evolve is hurting its many fintech partners

A data breach last month at Evolve Bank & Trust affected several of the bank’s sponsored fintech partners, including Wise, which stopped working with the bank last year.

Jonesboro, Arkansas-based Evolve detected a cybersecurity breach in May perpetrated by LockBit, the ransomware group that falsely stated last month he had stolen federal reserve data.

By the standards of banks that have suffered data breaches, Evolve has been unusually transparent about how the data breach occurred and who committed it. While most data breach victims refuse to acknowledge which specific threat actor stole their data or how, Evolve specifically named LockBit as the perpetrator, even going so far as to say that the bank did not pay the ransom the group demanded.

Evolve said Monday in a public post that the bank identified in May that some of its systems were malfunctioning and, through an investigation, discovered unauthorized access that it blocked on May 31. The bank confirmed that LockBit carried out the ransomware attack and that the threat actor “appeared” to have gained access when an employee “inadvertently clicked on a malicious Internet link.”

The bank found no evidence that criminals had access to customer funds, although the ransomware group downloaded customer information “during periods in February and May.” LockBit “also encrypted some data within our environment,” but backups allowed the bank to “limit” data loss and impact on operations.

Evolve also said it refused to pay the ransom, which is why LockBit leaked the stolen data. “They also incorrectly attributed the source of the data to the Federal Reserve Bank,” the bank’s public statement reads.

The bank plans to begin sending individual data breach notifications starting July 8.

Evolve works with a number of fintechs, many of which have contacted customers in recent days to let them know that Evolve has notified the fintechs of the data breach. The following companies have publicly acknowledged or notified customers that the Evolve data breach affected their data:

To assert told card users in an email that the data breach at Evolve, which issues Affirm Cards, “may have” compromised some data and personal information. The payments fintech said it became aware of the incident on the evening of June 25. While Affirm did not specify how many customers were affected, it said it had a million card users in its latest earnings report.

Bilt Rewards Customers said they received notifications from the credit card company, which specializes in providing rent-payment rewards, that the incident “may have” compromised some personal data Evolve had on file. The company did not immediately respond to a request for comment.

Branch told customers that Evolve customer data had been affected, but that the bank could not immediately confirm whether the payroll fintech’s account holder data had been affected. The company did not immediately respond to a request for comment.

EarnIn publicly acknowledged the data breach at Evolve, which is the banking partner of the earned wage access service. The fintech said it was “working hard to understand any potential impact” of the leaked data on EarnIn’s customer data. The company did not immediately respond to a request for comment.

Melio, a payments fintech aimed at small businesses, told American Banker that the company is working with Evolve to determine whether the fintech or its customers were affected by the breach. “We will keep our customers posted with any relevant information as we learn more,” a company spokesperson said. “There have been no disruptions to Melio’s operations as a result of this incident.”

MercuryEvolve, a business-to-business fintech that earlier this year announced an expansion into consumer banking, said the Evolve data breach involved “account numbers, deposit balances, business owner names and emails” associated with Mercury and other fintech accounts.

Wisewhich stopped working with Evolve in 2023, publicly acknowledged that the bank had data belonging to customers of the international payments fintech, formerly known as TransferWise. While Evolve did not confirm to Wise what data was affected, the fintech said the bank had names, addresses, dates of birth, contact information, Social Security numbers, and employee identification numbers for U.S. customers and other identification numbers for non-U.S. customers.

A Wise spokesperson said the company is continuing a thorough investigation and has contacted customers who may have been affected by the Evolve data breach directly via email. Wise is helping set up credit monitoring subscriptions for U.S. customers who opt in. “Wise’s systems were not compromised and our customers are able to access their accounts safely,” the company said in a statement.

Road performance told customers that “it’s likely your information was affected,” adding that the stolen data set “is very large, spanning hundreds of companies and hundreds of thousands of user records.” Yieldstreet told customers that the data involved in the breach “varies by individual but may include name, Social Security number, date of birth, account information and/or other personal information.” The company did not immediately respond to a request for comment.

The affected fintechs said the Evolve breach did not compromise any of their customers’ account credentials.

Other companies that were reportedly affected by the Evolve breach also did not immediately respond to requests for comment.

Source