In a filing with the Maine attorney general, Evolve Bank and Trust confirmed the Lockbit attack, which affected more than 7.6 million Americans. The attack also affected at least three of Evolve’s partners, including Wise, which had severed ties with the company in 2023.
This is the first time Evolve has confirmed the scale of the attack since it happened earlier in May. Leaked data can include names, addresses, bank account numbers, and Social Security Numbers for banking customers and partners alike. However, the bank did not mention particulars in the sample letter submitted to authorities. As investigations into the attack continue, the number of affected partners is also expected to rise.
The bank has started informing affected users of the breach, stating that the issue “initially appeared to be a hardware failure” but turned out to be unauthorised activity. It further claims to have stopped the attack on May 31, and no unauthorised activity has been detected since. Additionally, Evolve claims no evidence that the threat actors accessed any customer funds.
Although Evolve identified suspicious activity on its systems on May 29, the breach occurred on February 9, giving the attackers almost four months inside Evolve’s systems to scrape and collect as much information as possible. As is the case with ransomware attacks, they also spread to Evolve partners. Three of the fifteen partners the bank lists on its website — Affirm, Wise, and Bilt — have independently confirmed being affected by the breach, with the rest still conducting investigations.
Evolve has offered affected customers 24 months of credit monitoring, as is the norm in data breaches, especially of this scale. Victims can enroll for the service until October 31, and full details and instructions will be included in an email they’ll receive in the next two weeks.
In the News: Zotac exposes customer RMA info on Google Search