On Wednesday, Evolve Bank and Trust, a financial institution popular with fintech startups, announced it had fallen victim to a cyberattack and data breach that may have also affected its partner companies.
The incident involved “some data and personal information of Evolve’s retail banking customers and customers of its financial technology partners,” the company said in a statement.
Speaking to TechCrunch, Evolve’s public relations director Thomas Holmes said the incident involved a “known cybercrime organization.”
“These bad actors appear to have published illegally obtained data on the dark web,” Holmes said, declining to comment further.
The perpetrator of the breach is believed to be the notorious ransomware gang LockBit, which posted the data it allegedly stole from Evolve on its dark web leak site.
Evolve lists a number of companies on its website as partners that provide some of the bank’s financial and lending services. TechCrunch reached out to Affirm, Airwallex, Alloy, Bond, Branch, Dave, EarnIn, Marqeta, Mastercard, Melio, Mercury, Prizepool, Step, Stripe, Tabapay and Visa to understand the impact of the Evolve breach on these companies.
None of the companies except Affirm and EarnIn responded to requests for comment.
inquiry
Do you have more information about the Evolve breach and how it impacts our partners? You can securely contact Lorenzo Franceschi-Bicchierai from a non-work device via Signal (+1 917 257 1382), Telegram, Keybase, Wire @lorenzofb, or email. You can also contact TechCrunch via SecureDrop.
Affirm spokesperson Matt Gross told TechCrunch that the company is investigating the incident and will “reachive impacted consumers directly once we have more information.”
Affirm also issued a warning to customers in a post on X, writing that the Evolve breach “may have exposed some data and personal information” of Affirm customers. The company also said that use of cards and money accounts is safe and that its investigation into the impact of the breach is ongoing.
Earn-In spokeswoman Stephanie Bowman said the company was “aware of this incident and is monitoring it closely.”
Another Evolve partner, fintech startup Mercury, told ExNews that the Evolve breach affected records related to the company, including “some account numbers, deposit balances, business owner names and emails.”
As more affected companies come forward, the true impact that Evolve’s breach had on “some of Evolve’s retail banking customers and financial technology partner customers,” as the company puts it, will likely become clearer.
Evolve has also recently attracted attention for other issues related to its fintech partnerships. On June 14, the Federal Reserve ordered Evolve Bank to “strengthen its risk management program related to fintech partnerships and anti-money laundering laws.” According to a statement from the Fed, a 2023 investigation found that Evolve “engaged in unsafe and sound banking practices by failing to put in place an effective risk management framework related to its partnerships” with financial technology companies.
The bank was also involved in the collapse of banking-as-a-service startup Synapse, which primarily helped fintech companies embed banking services into their own offerings. When Synapse filed for bankruptcy this year and Tabapay’s attempt to rescue its assets failed, the company blamed its partner bank, Evolve, but the tragedy continues.
