Evolve Bank & Trust, a financial institution with both traditional banking and open banking services, disclosed a data breach impacting a staggering 7.64 million individuals.
The Arkansas-based bank initially believed a “hardware failure” caused system disruptions in late May, but an investigation revealed a cyberattack with a much longer timeline.
Evolve confirmed hackers infiltrated their network as early as February, potentially compromising sensitive customer data. While the official notification letter filed with the Maine Attorney General avoids specifics, the bank has acknowledged stolen information, including names, Social Security numbers, bank account numbers, and contact details.
Affirm and Wise Customers Hit By Attack
This breach extends beyond Evolve’s core clientele, impacting customers of its open banking platform (often referred to as Banking-as-a-Service) used by several fintech firms. “Buy now, pay later” provider Affirm and money transfer service Wise are among those notifying their customers of potential data exposure due to Evolve’s security lapse.
The incident adds another layer of concern for Evolve, which faced a regulatory order from the Federal Reserve Board in June. The order mandated improvements to Evolve’s anti-money laundering (AML) and risk management programs, citing the need for enhanced procedures in record keeping and consumer compliance. This regulatory action raises questions about whether vulnerabilities exploited in the cyberattack might have been linked to the bank’s AML/compliance shortcomings.
LockBit Claims Evolve Bank Attack
LockBit, a Russian-speaking ransomware-as-a-service (RaaS) group, claimed responsibility for the attack. Interestingly, LockBit initially attributed the stolen data to the Federal Reserve, likely due to a stolen document referencing the central bank.
“The threat actor also encrypted some data within our environment. However, we have backups available and experienced limited data loss and impact on our operations. We refused to pay the ransom demanded by the threat actor. As a result, they leaked the data they downloaded. They also mistakenly attributed the source of the data to the Federal Reserve Bank,” Evolve Bank said at the time.
This error highlights the evolving tactics of RaaS groups, who often employ misinformation or disinformation campaigns alongside cyberattacks to create confusion and maximize impact.
The Evolve breach puts across the critical need for robust cybersecurity measures in financial institutions. With the increasing adoption of open banking platforms and the ever-present threat of RaaS attacks, institutions must prioritize data security and implement strong access controls, encryption, and incident response protocols. Regulatory bodies are likely to intensify their scrutiny of financial institutions’ cybersecurity posture in the wake of this incident.
