Startups Scramble to Assess Fallout from Evolve Bank Data Breach
On Wednesday, Evolve Bank and Trust, a financial institution popular with fintech startups, announced that it had been the victim of a cyberattack and data breach that could have affected its partner companies as well.
The incident, according to the company's statement, involved "the data and personal information of some Evolve retail bank customers and financial technology partners' customers."
When reached, Evolve's communications chief Thomas Holmes said that the incident involves "a known cybercriminal organization." "It appears these bad actors have released illegally obtained data, on the dark web," said Holmes, declining to comment further.
The cybercriminals responsible for the breach appear to be the notorious ransomware gang LockBit, which posted data allegedly stolen from Evolve on its dark web leak site.
Evolve lists a series of companies on its site as partners that rely on the banking giant to offer some of their financial and lending services. To understand the impact of the Evolve breach on these companies, several companies were reached out to, including Affirm, Airwallex, Alloy, Bond, Branch, Dave, EarnIn, Marqeta, Mastercard, Melio, Mercury, Prizepool, Step, Stripe, Tabapay, and Visa.
None of the companies, except for Affirm and EarnIn, responded to the request for comment.
Affirm spokesperson Matt Gross said that the company is investigating the incident and "will communicate directly with any impacted consumers as we learn more." Affirm also alerted its customers in a post, writing that the Evolve breach "may have compromised some data and personal information" of Affirm customers. The company also said that it's safe to use its card and Money Accounts, and that its investigation into the impact of the breach is still ongoing.
EarnIn spokesperson Stephanie Borman said that the company is "aware of this incident and monitoring it closely."
Another Evolve partner, the fintech startup Mercury, said on X that the Evolve breach impacted records associated with the company, "including some account numbers, deposit balances, business owner names, and emails."
As more affected companies come forward, the true impact of the Evolve breach on "some Evolve retail bank customers and financial technology partners' customers" — as the company put it — will likely become clearer.
Evolve has made headlines recently for other matters related to its fintech partnerships. On June 14, the Federal Reserve ordered Evolve Bank "to bolster its risk management programs around fintech partnerships as well as anti-money laundering laws."
According to a statement by the Fed, examinations conducted in 2023 found that Evolve "engaged in unsafe and unsound banking practices by failing to have in place an effective risk management framework for those partnerships" with financial technology companies.
The bank has also been associated with the meltdown of banking-as-a-service startup Synapse, which provided a service that allowed others — mainly fintechs — to embed banking services into their offerings. When Synapse filed for bankruptcy this year and an attempted rescue acquisition of its assets by TabaPay fell through, the company pointed blame at its partner bank, Evolve — a saga that continues to play out.
Get All The Latest Updates Delivered Straight To Your Inbox For Free!