Buy now, pay later loan company Affirm is warning that holders of its payment cards had their personal information exposed due to a data breach at its third-party issuer, Evolve Bank & Trust.
Evolve is a large financial services provider specializing in retail and commercial banking, payment processing, and banking-as-a-service.
In June, the LockBit ransomware gang falsely claimed to have breached the US Federal Reserve and stolen 33 TB of data.
After researchers analyzed the data, it was determined that it had been stolen from Evolve Bank & Trust, which confirmed to BleepingComputer that the data belonged to them.
In an update published yesterday, Evolve said it has responded to the incident by resetting passwords globally, reconstructing critical Identity Access Management components, including Active Directory, and various network hardening measures.
As of the latest investigation findings, there's evidence that the stolen data includes names, Social Security Numbers, bank account numbers, and contact information.
Affirm, one of Evolve's clients, is now warning its customers that their personal and financial information might have been exposed in the Evolve data breach.
Affirm shares customer data with Evolve as required to issue Affirm Cards, a debit card that lets you pay for purchases over time.
Affirm added that Evolve had assured them the cybersecurity incident had been contained.
Affirm says users may continue to transact normally as the Company remains on high alert for potentially suspicious activity linked to the incident.
The breach at Evolve has potentially affected several other fintech firms in the US, with Wise and Bilt confirming they were impacted.
Wise published a statement on its website late last week, informing customers it had shared full names, addresses, contact details, Social Security numbers, and other sensitive information with Evolve as part of a partnership between 2020 and 2023.
Bilt has also notified customers via notifications that its partnership with Evolve may have led to the compromise of sensitive customer information.
A Bilt employee confirmed on Reddit that they are unsure if any of its customers' data was actually exposed.
Evolve has also promised to email individual notifications to all persons confirmed to have been impacted by the incident on July 8, 2024.
Due to the severity of the Evole data breach, we will likely see further fintech companies disclose potential data breaches as the investigation continues.
Infosys McCamish says LockBit stole data of 6 million people.
Prudential Financial now says 2.5 million impacted by data breach.
Meet Brain Cipher - The new ransomware behind Indonesia's data center attack.
Change Healthcare lists the medical data stolen in ransomware attack.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 02 Jul 2024 16:00:28 +0000