On Wednesday, Evolve Bank and Trust, a financial institution popular with fintech startups, announced it had fallen victim to a cyberattack and data breach that may have also affected its partner companies.
The incident involved “some data and personal information of Evolve's retail banking customers and customers of its financial technology partners,” the company said in a statement.
Speaking to TechCrunch, Evolve's public relations director Thomas Holmes said the incident involved a “known cybercrime organization.”
“These bad actors appear to have published illegally obtained data on the dark web,” Holmes said, declining to comment further.
The perpetrator of the breach is believed to be the notorious ransomware gang LockBit, which posted the data it allegedly stole from Evolve to its dark web leak site.
Evolve lists a number of companies on its website as partners that provide some of the bank's financial and lending services. TechCrunch reached out to Affirm, Airwallex, Alloy, Bond, Branch, Dave, EarnIn, Marqeta, Mastercard, Melio, Mercury, Prizepool, Step, Stripe, Tabapay and Visa to understand the impact of the Evolve breach on these companies.
The companies other than Affirm, EarnIn and Melio did not respond to requests for comment.
Contact Us Do you have more information about the Evolve breach and how it's affecting our partners? You can securely contact Lorenzo Franceschi-Bicchierai from a non-work device via Signal (+1 917 257 1382), Telegram, Keybase, Wire @lorenzofb, or email. You can also contact TechCrunch via SecureDrop.
Affirm spokesperson Matt Gross told TechCrunch that the company is investigating the incident and will “reachive impacted consumers directly once we have more information.”
Affirm also issued a warning to customers in a post on X, writing that the Evolve breach “may have exposed some data and personal information” of Affirm customers. The company also said that use of cards and money accounts is safe and that its investigation into the impact of the breach is ongoing.
Earn-In spokeswoman Stephanie Bowman said the company was “aware of this incident and is monitoring it closely.”
Melio founder and CEO DeeDee Rudenstein told TechCrunch that the company is aware of the breach and is “working diligently with them to determine whether Melio or our customers were affected. Once we have more information, we will update customers with any relevant information. There has been no disruption to Melio's operations as a result of this incident.”
Another Evolve partner, fintech startup Mercury, told ExNews that the Evolve breach affected records related to the company, including “some account numbers, deposit balances, business owner names and emails.”
As more affected companies come forward, the true impact that Evolve's breach had on “some of Evolve's retail banking customers and financial technology partner customers,” as the company puts it, will likely become clearer.
Evolve has also recently been in the spotlight for other issues related to its fintech partnerships. On June 14, the Federal Reserve Board ordered Evolve Bank to “strengthen its risk management program with respect to fintech partnerships and anti-money laundering laws.”
A 2023 investigation found that Evolve “did not have an effective risk management framework in place in its partnerships” with financial technology companies, thereby engaging in unsafe and sound banking practices, according to a Fed statement.
The bank was also involved in the collapse of Synapse, a banking-as-a-service startup that primarily helped fintech companies embed banking services into their own offerings. When Synapse filed for bankruptcy this year and Tabapay's attempt to rescue its assets failed, the company blamed its partner bank, Evolve, but the tragedy continues.