Evolve Bank & Trust Data Breech

Details

Written by: RJ

Evolve Bank & Trust was victim of a data breech. This is the bank behind many of the Fintech platforms we use for various banking and bonuses such as Wise, Juno, Affirm, Airwallex, Alloy, Bond, Branch, Dave, EarnIn, Marqeta,  Melio, Mercury, PrizePool, Step, Stripe, TabaPay, Bilt. (Thanks to DoC)

UPDATE: July 3, 2024

Evolve is on schedule to commence individual notifications starting July 8, 2024. These notifications will include an offer of two years of comprehensive credit monitoring and identity protection services for U.S. residents, while international residents will be offered dark web monitoring services where available. Additionally, the notices will provide detailed information on these services, along with instructions for registration and contact details for our dedicated call center, established to assist with enrollment and address any inquiries related to the incident.

Our initial round of notifications is expected to be completed over approximately two weeks. As previously mentioned, our investigation is ongoing, and we anticipate subsequent, smaller rounds of notifications.

We appreciate your ongoing patience throughout this process and regret any inconvenience caused by this incident.

Posted: July 1, 2024

The Evolve Team continues to work around the clock to respond to the recent cybersecurity incident. We are committed to transparency and have provided a detailed update below about what happened, how we are responding, and actions you can take. We will continue to provide regular updates on this page.

Thank you for your continued patience. We regret any inconvenience this incident may cause and are grateful for your understanding.

Because the investigation continues and information is being regularly updated and to avoid confusion, we have removed and archived previous updates.

What Happened

In late May 2024, Evolve Bank & Trust identified that some of its systems were not working properly. While it initially appeared to be a hardware failure, we subsequently learned it was unauthorized activity. We engaged cybersecurity specialists to investigate and determined that unauthorized activity may have been the cause. We promptly initiated our incident response processes, stopped the attack within days, and have seen no new unauthorized activity since May 31, 2024. We engaged outside specialists to investigate what happened and what data was affected, as well as a firm to help us restore our services. We reported this incident to law enforcement.

While the investigation is ongoing, we want to share some important information about what we know so far. At this time, current evidence shows the following:

• This was a ransomware attack by the criminal organization, LockBit.

• They appear to have gained access to our systems when an employee inadvertently clicked on a malicious internet link.

• There is no evidence that the criminals accessed any customer funds, but it appears they did access and download customer information from our databases and a file share during periods in February and May.

• The threat actor also encrypted some data within our environment. However, we have backups available and experienced limited data loss and impact on our operations.
• We refused to pay the ransom demanded by the threat actor. As a result, they leaked the data they downloaded. They also mistakenly attributed the source of the data to the Federal Reserve Bank.

Press release