Fintech Frenzy: Affirm & Others Emerge as Victims in Evolve Breach

A ransomware attack against a large financial services provider has become a problem for many companies it works with, two of which have already alluded to potential negative impacts on customer data.

The infamous LockBit group earned some undue attention early last week when it claimed to have hacked the US Federal Reserve. In fact, it had breached the far lesser Evolve Bank & Trust.

According to a statement from Memphis-based Evolve, the attack occurred in late May, when an Evolve employee clicked on a malicious phishing link. Though the attackers didn't access any customers' money, they were able to access and download customer information from databases and a file share. They also encrypted some data but, thanks to backups, the company "experienced limited data loss and impact on our operations."

LockBit was kicked out of Evolve's systems by the end of the month. But after the victim refused to pay the ransom, the group leaked the data it had stolen.

The twist is that, in addition to banking and lending for private citizens and businesses, Evolve offers business-to-business (B2B) banking-as-a-service (BaaS) and payments processing technologies. So beyond its own direct customers, its latest cyber incident has also spread to users of other financial companies that integrate with it, and more victims of the breach are coming to light.

Dominos Start Falling

For example, there's the multibillion-dollar London-based Wise. According to a statement last week, it partnered with Evolve from 2020 to 2023 to "provide USD account details" to its customers. To enable that service, Wise shared with Evolve its customers' names, addresses, dates of birth, contact details, and ID numbers, including employer identification numbers and Social Security numbers. According to Wise, this information "may have been involved" in Evolve's latest breach.

Ditto to buy now, pay later (BNPL) company Affirm, which uses Evolve to issue and service its credit card-style Affirm Cards. Customers' cards remain untouched, but the personal information Affirm shared with Evolve is another matter. "The full scope, nature and impact of the incident on the Company and Affirm Card users, including the extent to which there has been unauthorized access to Affirm Card user Personal Information, are not yet known," the company reported in an 8-K filing with the SEC.

Evolve has many other notable partners in the financial services industry, most notably Stripe and Shopify. A number of them are currently investigating whether their customers' data has been affected.

"This is another unfortunate example of a supply chain problem impacting an organization," says Erich Kron, security awareness advocate at KnowBe4. "The more we have these very large companies that service many smaller ones, the more this threat will continue to become apparent through breaches such as this. Unfortunately for Affirm, it will be their name going out on the breach notifications and potentially their reputation at risk."