banner

The June 26th announcement by Evolve Bank and Trust that they had fallen victim to a data breach sent shockwaves through the entire fintech and tech community. What was once thought an impenetrable bastion became a stark example of the glaring vulnerabilities of digital systems despite considerable advancements in cybersecurity.

Unsurprisingly, this has raised questions and concerns about the security of digital assets and personal information in the crypto space. It has also sent jitters across several fintech startups relying heavily on Evolve for banking infrastructure and various financial services.  Evolve remains largely silent on the extent of the data breach, exacerbating the apprehension amongst partners and fintech startups. 

The Culprit: LockBit 3.0

So, how did the data breach occur?

According to reputable sources, LockBit 3.0, the infamous cybercriminal group, infiltrated Evolve’s IT network and gained access to sensitive data. The Fintech banking institution remains largely mum on what data has been leaked, but rumors suggest the following information may have been compromised:

  • Customer names
  • Social Security Numbers (SSNs)
  • Date of Birth
  • Account Information (account numbers, balances, etc.)

Some background information: LockBit 3.0 is a cybercriminal group offering ransomare-as-a-service (Raas). The group hacks into companies’ and organizations’ systems, encrypting their data and then demanding a ransom to decrypt it. They may also threaten to wipe company data unless the company pays them a ransom. Raas aside, the group is also involved in various cybercrimes, including data theft and operation disruptions.

Response and Impact on Fintech Partners

It’s difficult to pinpoint the specific details of the compromised data without an official statement from Evolve. So far, we have a brief and cryptic statement from Evolve’s communications chief, Thomas Holmes, who said, “It appears these bad actors have released illegally obtained data,” raising more questions than answers.

The fintech banking institution has an extensive list of partners, from big names like Visa and Wise to more obscure fintech companies. Evolve partners have sprung into immediate damage control as they await more details about the incident. These fintech companies have briefed their customers and reassured them that they have the situation under control.

For instance, Affirm,  the POS installment lender, posted on X that the data breach “…may have compromised some data and personal information.” of its customers. Earnin spokesperson, in a similar statement, said that  the company is “aware of this incident and monitoring it closely.” The core message remains the same across the board and can be summarized as “we know what happened and we’re waiting for further details.”

Financial Implications and Customer Impact

Data breaches have an incredibly detrimental impact on all companies. In fact, according to digitalguardian.com, companies that experience data breaches see, on average, a reduced NASDAQ performance of -3.7% a year after the breach. Although share prices may rise after the first year, NASDAQ performance continues to decline, with an average NASDAQ performance of -11.35% after 2 years. This performance drop is mainly attributed to a loss in consumer trust and increased scrutiny by regulatory authorities.

The biggest loser in this entire turmoil is, of course, the customer. Dozens to hundreds of innocent people’s accounts and personal information may be in the hands of criminals, putting them at a greater risk of identity theft and other fraudulent activity. Still, it’s worth noting that not all Evolve partners are in trouble.

For instance, Wise, in a public statement, assured its customer of the safety of their personal information and that the data breach had not impacted their systems. Customer can transact normally without fear of unauthorized access to their information. 

Wise might as well be an isolated case because many other partners weren’t so lucky. Despite the close call, the fintech company still cut ties with Evolve following the incident. 

Proactive Measures and Future Steps

On its part, Evolve has taken measures to mitigate the impact on customers since the bank data breach. Some of the measures they took include:

  • Resetting all passwords 
  • Upgrading their firewalls and cybersecurity infrastructure
  • Implementing endpoint detection and response 
  • Enhancing critical identity access management components of their security systems

Additionally, the company has engaged law enforcement agencies to help with investigations. It has also offered them complimentary credit monitoring and identity theft protection services to calm disgruntled customers. Still, customers are encouraged to take the following measures if they receive an Evolve Bank & Trust data breach Letter.

  • Change your login credentials 
  • File an identity theft police report
  • Consult a data security attorney
  • Contact all parties relevant to the breach (bank, insurance companies, creditors)
  • Change your login credentials
  • Freeze your accounts (if necessary)

Regulatory and Credibility Challenges

The data breach has shed light on Evolve’s history of sketchy practices. Recently, the Federal Reserve hit Evolve with an enforcement action asking it “to bolster its risk management programs around fintech partnerships as well as anti-money laundering laws.”

This was after the fintech company failed to adequately observe consumer compliance, anti-money laundering, and risk management programs. These unsound banking practices and failure to implement mechanisms against cybersecurity threats may have made Evolve the ideal target for LockBit 3.0. 

This run-in with the Federal Reserve isn’t the first time Evolve’s activities have raised eyebrows. Many experts have linked the Fintech institution to Synapse’s collapse. Synapse is a fintech company primarily providing banking-as-a-service (Baas) services for other fintech companies, including Yotta.

In April, Synapse filed for bankruptcy after failing to fulfill customer balances. Yotta was severely affected by this shortfall since it locked out over 85,000 customers from accessing $112 million stashed in their savings. Synapse claims that Evolve is holding the funds, yet Evolve says that it transferred all assets to Synapse after the two companies parted ways in 2023.

Evolve’s credibility remains in question, but the million-dollar question is, what’s next for the fintech startups whose customers’ personal information and data have leaked online? As it stands, all they can do is wait for more details to emerge. We anticipate potential fallouts with Evolve as more companies reevaluate their partnerships.

The Bottomline

As we’ve seen with the recent Evolve Bank data breach, the need for robust and flexible data security solutions has never been more crucial. In a landscape where cyber threats are becoming increasingly sophisticated, businesses, especially those in the fintech sector, must be vigilant and proactive in protecting their data and that of their customers.

For those seeking to bolster their cybersecurity framework, TeraDact offers a suite of products that can significantly enhance your data security posture. With tools designed for comprehensive data protection, from encryption and tokenization to redaction and risk management, TeraDact provides solutions that can be deployed across various platforms, whether on-premise or in the cloud.

To see how TeraDact can transform your approach to data security and help you build a resilient and trusted infrastructure, we encourage you to access our data workshop for free today. This proactive step could safeguard your enterprise against potential threats and secure your position in the ever-competitive financial technology landscape.

Leave a Reply

Your email address will not be published. Required fields are marked *