A data breach at Evolve is hurting its many fintech partners

A data breach at Evolve Bank & Trust last month has burned many of the fintech partners the bank has sponsored — including Wise, which stopped working with the bank last year.

Evolve, which is based in Jonesboro, Arkansas, detected a cybersecurity breach in May perpetrated by LockBit, the ransomware group that falsely claimed last month that it had stolen Federal Reserve data.

By the standards of banks that have suffered data breaches, Evolve has been unusually transparent about how the data breach occurred and who did it. While most data breach victims refuse to acknowledge which specific threat actor stole their data or how, Evolve specifically named LockBit as the perpetrator, even going so far as to say the bank did not pay the ransom the group demanded.

Evolve said Monday in a public post that the bank identified in May that some of its systems were not working properly, and through an investigation discovered unauthorized access that it stopped on May 31. The bank confirmed LockBit perpetrated the ransomware attack, and that the threat actor "appeared to" have gained access when an employee "inadvertently clicked on a malicious internet link."

The bank has found no evidence that the criminals accessed any customer funds, though the ransomware group did download customer information "during periods in February and May." LockBit "also encrypted some data within our environment," but backups enabled the bank to "limit" data loss and impact on operations.

Evolve also said it refused to pay the ransom, which is why LockBit leaked the data they stole. "They also mistakenly attributed the source of the data to the Federal Reserve Bank," the bank's public statement reads.

The bank anticipates that it will begin sending individual notifications about the data breach on July 8.

Evolve works with numerous fintechs, many of which have been contacting customers in recent days to relay that Evolve informed the fintechs of the data breach. The following companies have publicly acknowledged or told customers that the Evolve data breach has affected their data:

Cyber security

LockBit stole a bank's data, but it wasn't the Fed's

Evolve Bank & Trust acknowledged the ransomware group published customer data from the bank, but the number of affected people remains unclear.

By Carter Pape

June 26

Affirm told card users in an email that the data breach at Evolve, which issues Affirm Cards, "may have" compromised some data and personal information. The payments fintech said it became aware of the incident on the evening of June 25. While Affirm did not specify how many customers were affected, it reported that it had one million card users in its latest earning report.

Bilt Rewards customers said they received notifications from the credit card company, which specializes in providing rewards for rent payments, that the incident "may have" compromised some personal data Evolve had on record. The company did not immediately respond to a request for comment.

Branch told customers that Evolve customers' data had been affected but that the bank could not confirm for the moment whether any of the payroll fintech's account holder data was impacted. The company did not immediately respond to a request for comment.

EarnIn publicly acknowledged the data breach at Evolve, which is the earned wage access service's banking partner. The fintech said it was "working hard to understand any potential impact" of the leaked data on EarnIn customer data. The company did not immediately respond to a request for comment.

Melio, a payments fintech targeted to small businesses, told American Banker that the company is working with Evolve to determine whether the fintech or its customers were impacted by the breach. "We will keep our customers informed with any relevant information as we learn more," said a spokesperson for the company. "There have been no disruptions to Melio's operations as a result of this incident."

Mercury, a business-to-business fintech that announced an expansion into consumer banking earlier this year, said the Evolve data breach involved "account numbers, deposit balances, business owner names, and emails" associated with Mercury and other fintech accounts.

Wise, which stopped working with Evolve in 2023, publicly acknowledged that the bank had data belonging to customers of the international payments fintech, formerly known as TransferWise. While Evolve had not confirmed to Wise what data had been impacted, the fintech said the bank had customers' names, addresses, dates of birth, contact details, Social Security numbers and employee identification numbers for U.S. customers, and other identity document numbers for non-U.S. customers.

A Wise spokesperson said the company is continuing a thorough investigation and has contacted customers who may have been affected by Evolve's data breach directly over email. Wise is helping set up enrollment in credit monitoring services for U.S. customers who opt-in to receive it. "Wise's systems were not compromised and our customers are able to access their accounts safely," the company said in a statement.

Yieldstreet told customers that "it is likely your information is impacted," adding that the stolen dataset "is very large, spanning hundreds of corporations and hundreds of thousands of user records." Yieldstreet told customers that the data involved in the breach "varies by individual but may include name, Social Security number, date of birth, account information and or other personal information." The company did not immediately respond to a request for comment.

Affected fintechs said the Evolve breach did not compromise any of their customers' account credentials.

Multiple additional companies that were reportedly affected by the Evolve breach did not immediately respond to requests for comment.