Affirm Holdings, a prominent U.S. financial technology firm, announced that the personal information of Affirm card users may have been compromised due to a cybersecurity incident at Arkansas-based Evolve Bank and Trust. This Evolve Bank data breach, which occurred last week, involved the illegal release of customer data on the dark web.
Evolve Bank, a third-party issuer of Affirm cards, revealed it was the target of a significant cybersecurity attack. Affirm has reassured its customers that its systems remain secure, and Affirm cardholders can continue to use their cards without interruption. However, the company has acknowledged that the breach involved shared personal information used to facilitate card issuance and servicing.
In a statement, Affirm’s spokesperson highlighted, “Affirm is aware of a cybersecurity incident involving Evolve, a third party vendor that serves as an issuing partner on the Affirm Card. We are actively investigating the issue. We will communicate directly with any impacted consumers as we learn more.”
LockBit Blamed for Evolve Bank Data Breach
Evolve Bank disclosed that the incident was a ransomware attack perpetrated by the criminal organization LockBit. “This was a ransomware attack by the criminal organization, LockBit,” reads Evolve Bank’s official statement.
The ransomware attack involved unauthorized access to the bank’s systems, resulting in the download and subsequent leak of sensitive customer information. This Evolve Bank data breach occurred in two phases, in February and May when an employee inadvertently clicked on a malicious internet link.
“They appear to have gained access to our systems when an employee inadvertently clicked on a malicious internet link. There is no evidence that the criminals accessed any customer funds, but it appears they did access and download customer information from our databases and a file share during periods in February and May,” said Evolve Bank.
Further, the Bank disclosed that the threat actor also encrypted some data within its environment. However, the Bank had backups available and experienced limited data loss and impact on its operations. Moreover, Evolve Bank confirmed that they have refused to pay the ransom demand because of which LockBit has leaked the data they downloaded.
“The threat actor also encrypted some data within our environment. However, we have backups available and experienced limited data loss and impact on our operations. We refused to pay the ransom demanded by the threat actor. As a result, they leaked the data they downloaded. They also mistakenly attributed the source of the data to the Federal Reserve Bank,” inform Evolve Bank.
Incident Details and Evolve Bank’s Response
Evolve Bank provided a comprehensive update on the data breach. The bank identified unusual system behavior in late May 2024, initially suspected to be a hardware failure but later confirmed as unauthorized activity. Cybersecurity specialists were engaged, and Evolve promptly initiated its incident response protocols, successfully halting the attack by May 31, 2024.
The attack did not compromise customer funds, but sensitive data was accessed and downloaded from the bank’s databases. “At this time, we have evidence that files were downloaded from our systems,” informed Bank.
This included names, Social Security numbers, bank account numbers, and contact information of personal banking customers and partners, including Affirm card users. Additionally, personal information related to Evolve employees was likely impacted. “We have now learned that personal information relating to our employees was also likely impacted. We are still investigating what other personal information was affected, including information regarding our Business, Trust, and Mortgage customers,” reads the official statement of Evolve Bank.
Evolve Bank has undertaken several measures to enhance security and prevent future incidents:
- Global password resets.
- Reconstructing critical Identity Access Management components, including Active Directory.
- Hardening of firewall and dynamic security appliances.
- Deploying endpoint detection and response tools.
The bank is also strengthening its security response protocols, policies, and procedures to improve detection and response to suspected incidents.
Impact on Affirm Card Users and Future Actions
Affirm cardholders whose data may have been compromised will be directly notified.
“The incident may have compromised some data and personal information Evolve had on record. If you do not have an Affirm Card, the incident does not impact you. If you do have an Affirm Card, we’re still investigating and we will have your back,” said Affirm official statement.
Evolve Bank is offering affected individuals two years of free credit monitoring and identity theft protection. Notifications will begin via email on July 8, 2024, including details about a dedicated call center for assistance and enrollment in credit monitoring services.
Evolve Bank urges all affected customers to remain vigilant by monitoring their account activity and credit reports. The bank provided resources for setting up fraud alerts with nationwide credit bureaus (Equifax, Experian, and TransUnion) and obtaining free credit reports. Customers suspecting identity theft or fraud are encouraged to file reports with the Federal Trade Commission (FTC) or local law enforcement.
Evolve Bank stated, “We appreciate your patience and understanding as we navigate this challenging situation. Your trust is of utmost importance to us, and we are committed to transparency.”