Evolve Bank & Trust, a leading US-based bank-as-a-service, has announced that cybercriminals have accessed the personal data of millions of its customers in a recent cyber attack.
In a filing with the Maine Attorney General on Monday, Evolve confirmed that the personal data of at least 7.6 million people, including more than 20,000 Maine-based customers, was accessed in the incident, but the impact continues to grow.
TechCrunch asked Evolve if that number is likely to increase, but has not yet received a response.
Evolve did not disclose in its filing what type of data was compromised, but previously said in a statement on its website that attackers accessed names, Social Security numbers, bank account numbers and contact information of the company's individual banking customers, personal data of Evolve employees and customer information of the company's financial technology partners.
This list of partners also includes Affirm, which recently confirmed that the Evolve breach “may have compromised some data and personal information” of its customers. Another Evolve partner, fintech startup Mercury, said in an X post that the Evolve breach affected “some account numbers, deposit balances, business owner names, and emails.”
Money transfer company Wise (formerly TransferWise) also acknowledged last week that “personal information of Wise customers may have been involved.”
It's not yet clear whether the list of types of compromised data may grow, but Evolve says it is “continuing to investigate what other personal information may have been affected, including information about our business, trust and mortgage customers.”
Last week, Evolve confirmed that the breach was the result of a ransomware attack carried out in February by the Russia-linked Rockbit group, which was disrupted in a multi-government operation earlier this year but whose administrators remain at large.
The bank became aware of the intrusion in May when it discovered hackers had accessed its systems. Evolve said it did not pay the hackers' ransom demand, and Rockbit has since published the compromised data on a resurrected dark web leak site.
In a letter sent to affected customers, Evolve said the hackers “accessed and downloaded customer information from Evolve's databases and file shares between February and May 2024.”