Fintech
Fintech firm Affirm says Evolve Bank attack exposed customer information
Financial technology firm Affirm told regulators this week that a cyberattack on a banking partner exposed customer information.
Affirm, which operates one of the largest buy now, pay later platforms, said the Securities and Exchange Commission on Monday that information about its customers was leaked in a cyberattack on Evolve Bank. Last week, the bank confirmed that he had suffered a cyber attack exposing the personal information of an unknown number of customers.
Affirm has partnered with Evolve Bank to issue its Affirm Card, which functions like a debit card but allows users to convert transactions into installment payments.
In its SEC filing, the company says it shares Affirm Card users’ personal information with Evolve to facilitate the issuance and management of cards.
Affirm said it “believes that Affirm Card users’ personal information was compromised as part of the Evolve cybersecurity incident.”
“However, the Company’s information systems were not compromised, nor was the ability of Affirm Cardholders to continue using their Affirm Card. This incident did not impact any other part of the Company’s business or operations,” the company told regulators.
The breach is currently under investigation, but Evolve Bank has told Affirm that the incident has been contained.
“However, the full scope, nature and impact of the incident on the Company and Affirm Card users, including the extent to which there was unauthorized access to Affirm Card users’ personal information, is not yet known,” the company added, noting that law enforcement and all Affirm customers have been contacted.
The company said customers can still use Affirm cards and that it has “increased fraud monitoring” in response to the incident. Affirm does not expect the incident to have a “material” impact on its financial outlook.
TechCrunch News reported last week that Affirm was one of Evolve’s many customers, including Wise money transfer companyto confirm that they were affected by the bank attack.
Also affirm shared a breach notification letter sent to customers on X and created a FAQ page for customers.
Evolve Confirms LockBit Attack
Monday, Evolve Bank confirmed which had been attacked by the The LockBit Ransomware Gang in late May. The gang falsely claimed to have hacked the U.S. Federal Reserve, but ultimately released data that came from Evolve Bank.
Evolve Bank said it discovered that some of its systems were not working in May and finally stopped the attack after several days.
The bank said LockBit gained access to its systems when an employee “inadvertently clicked on a malicious Internet link.”
“There is no evidence that criminals accessed customer funds, but it appears that they accessed and downloaded customer information from our databases and a file share during the periods of February and May,” the bank said Monday.
“The threat actor also encrypted some data in our environment. However, we have backups available and have seen limited data loss and impact to our operations. We refused to pay the ransom demanded by the threat actor. As a result, they leaked the data they had downloaded. They also incorrectly attributed the source of the data to the Federal Reserve Bank.”
Hackers stole names, Social Security numbers, bank account numbers, and contact information of customers and employees.
They plan to begin sending out breach notification letters on July 8, offering two years of free credit monitoring and identity theft protection.
Get more information with the
Recorded future
Cloud of intelligence.