Buy now, pay later loan company Affirm is warning that holders of its payment cards had their personal information exposed due to a data breach at its third-party issuer, Evolve Bank & Trust (Evolve).
Affirm is a fintech firm that provides consumer-friendly alternatives to traditional credit options. It also offers point-of-sale financing, virtual cards on a mobile app, and a fully integrated physical card called the ‘Affirm Card.’
Evolve is a large financial services provider specializing in retail and commercial banking, payment processing, and banking-as-a-service (BaaS).
It has active partnerships with multiple fintech companies, including Shopify, Bilt, Plaid, Stripe, and Mercury. These fintech companies use it to provide the banking backend for their products, including issuing cards, managing deposits, and facilitating loans.
In June, the LockBit ransomware gang falsely claimed to have breached the US Federal Reserve and stolen 33 TB of data.
However, after researchers analyzed the data, it was determined that it had been stolen from Evolve Bank & Trust, which confirmed to BleepingComputer that the data belonged to them.
“Evolve is currently investigating a cybersecurity incident involving a known cybercriminal organization. It appears these bad actors have released illegally obtained data, on the dark web,” an Evolve Spokesperson told BleepingComputer.
Affirm impacted by Evolve data breach
In an update published yesterday, Evolve said it has responded to the incident by resetting passwords globally, reconstructing critical Identity Access Management components, including Active Directory, and various network hardening measures.
As of the latest investigation findings, there’s evidence that the stolen data includes names, Social Security Numbers (SSNs), bank account numbers, and contact information.
Affirm, one of Evolve’s clients, is now warning its customers that their personal and financial information might have been exposed in the Evolve data breach. Affirm shares customer data with Evolve as required to issue Affirm Cards, a debit card that lets you pay for purchases over time.
“On June 25, 2024, Evolve Bank & Trust (“Evolve”), the third-party issuer of the Affirm Card, notified Affirm (the Company) that Evolve had experienced a cybersecurity incident whereby a third party gained unauthorized access to personal information and financial information (“Personal Information”) of Evolve retail banking customers and the customers of its financial technology partners,” reads the 8-K filing.
“Because the Company shares the Personal Information of Affirm Card users with Evolve to facilitate the issuance and servicing of Affirm Cards, the Company believes that the Personal Information of Affirm Card users was compromised as part of Evolve’s cybersecurity incident.”
Affirm added that Evolve had assured them the cybersecurity incident had been contained. However, an investigation into the scope of the breach and the extent of the unauthorized access is still ongoing.
Meanwhile, Affirm says users may continue to transact normally as the Company remains on high alert for potentially suspicious activity linked to the incident.
Wise and Bilt impacted too
The breach at Evolve has potentially affected several other fintech firms in the US, with Wise and Bilt confirming they were impacted.
Wise published a statement on its website late last week, informing customers it had shared full names, addresses, contact details, Social Security numbers, and other sensitive information with Evolve as part of a partnership between 2020 and 2023.
Wise assured customers that their accounts remain secure and it’s safe to continue using their ‘Wise Cards’ but recommended heightened vigilance against potential phishing attacks.
Bilt has also notified customers via notifications that its partnership with Evolve may have led to the compromise of sensitive customer information.
However, a Bilt employee confirmed on Reddit that they are unsure if any of its customers’ data was actually exposed.
“We provided this notice out of an abundance of caution, but at this time Evolve has not indicated what, if any, Bilt user information has been impacted,” a Bilt employee posted on Reddit.
Similarly to the other entities, Bilt reassured users that their accounts remain secure and that the platform wasn’t directly impacted; hence, there’s no disruption to its operations.
Evolve has also promised to email individual notifications to all persons confirmed to have been impacted by the incident on July 8, 2024.
Due to the severity of the Evole data breach, we will likely see further fintech companies disclose potential data breaches as the investigation continues.