THREAT ALERT

Evolve Bank and Trust Breach

Wednesday, July 10th, 2024

VIEW ALL THREAT ALERTS

Cyber security risk management solutions from DefenseStorm.

In late June 2024, LockBit cybercriminal group claimed responsibility for having breached a government agency with plans to release the stolen data. It was revealed that the group actually breached Evolve Bank and Trust.

At the end of June, there were claims that the LockBit cybercriminal group had breached a government agency and planned to release data exfiltrated from that breach. However, those claims turned out to be entirely untrue. Instead, LockBit did release data from another breach: Evolve Bank & Trust.

According to a statement from the Memphis-based bank obtained from DarkReading, the attack occurred in late May when an Evolve employee clicked on a malicious phishing link. Although the attackers didn’t access any customers’ money, they were able to download customer information from databases and a file share. Some data was encrypted, but thanks to backups, the company “experienced limited data loss and impact on our operations.” Evolve has sanitized its environment, but the full impact of the released data is still being assessed.

London-based FinTech company “Wise” also released a statement: “Evolve Bank & Trust is a regulated bank that we worked with from 2020 until 2023 to provide USD account details. They’ve recently been affected by a data breach, and some Wise customers’ personal information may have been involved. We’ll be emailing all Wise customers who we think may have been affected by this data breach directly.”

In addition to Wise, Affirm—a large buy-now-pay-later platform—reported in their 8-K filing with the SEC: “On June 25, 2024, Evolve Bank & Trust (‘Evolve’), the third-party issuer of the Affirm Card, notified the Company that Evolve had experienced a cybersecurity incident whereby a third party gained unauthorized access to personal information and financial information (‘Personal Information’) of Evolve retail banking customers and the customers of its financial technology partners. Because the Company shares the Personal Information of Affirm Card users with Evolve to facilitate the issuance and servicing of Affirm Cards, the Company believes that the Personal Information of Affirm Card users was compromised as part of Evolve’s cybersecurity incident. However, the Company’s information systems were not compromised, nor was the ability for Affirm Card holders to continue using their Affirm Card. This incident has not impacted any other part of the Company’s business or operations.”

Evolve apparently has partnerships with other larger and notable businesses in the financial services industry. Many of these partners are investigating the incident and assessing the impact. As of now, Wise and Affirm seem to be the most visible partners affected.

The silver lining, if there is one, is that impacted partners appear to have suffered only data loss and not additional occurrences of ransomware. Nevertheless, the information obtained from the release of Evolve’s data will likely be leveraged by other bad actors in their own social engineering and phishing campaigns, which is what led to this situation in the first place.

As the days go by, more of Evolve’s partners may come forward to notify customers of the impact. If you or any providers you use have been partnered with Evolve, exercise extra caution with suspicious texts, emails, phone calls, etc. If in doubt, never provide personal or sensitive information to a caller. Most companies nowadays rarely call and ask for login credentials, passwords, banking information, or authorization to move funds. If you receive a suspicious or unexpected call, find the correct number for that organization and call them directly.

References:

hxxps://www[.]darkreading[.]com/cyberattacks-data-breaches/fintech-frenzy-affirm-and-others-emerge-as-victims-in-evolve-breach

hxxps://wise[.]com/help/articles/1Tyvn34K9tp08aZ0y0Hqe0/data-breach-at-evolve-bank-trust-in-the-us

hxxps://www.sec[.]gov/Archives/edgar/data/1820953/000182095324000027/afrm-20240625.htm

James Bruhl

James Bruhl

Director of Cyber Threat Intelligence

James Bruhl is the Director of Cyber Threat Intelligence for DefenseStorm. He joined the company with 15 years of experience as a law enforcement officer, bringing extensive experience in crime prevention, evidence collection, investigative techniques, and crisis management. Driven by a passion for technological advancements and the ever-evolving landscape of digital threats, he transitioned to the field of digital forensics, incident response, and cybersecurity. In his role, he honed his skills in analyzing digital evidence, identifying cyber threats, and implementing robust security measures specializing in forensic examinations on various devices to uncover critical information and support investigations. James began at DefenseStorm as a security engineer in 2020 and developed DefenseStorm’s EDR Service. He was then appointed as Director of Cyber Threat Intelligence in 2022 and is responsible for nearly all facets of the EDR service. During his cyber career, James has been instrumental in proactively detecting and responding to cyber incidents and plays a vital role in incident response teams, coordination efforts to mitigate the impact of breaches, vulnerability identification, and strategy implementation to prevent future attacks. He continues to share his expertise by conducting training sessions, participating in conferences, and writing articles on topics related to digital forensics, incident response, and cybersecurity. James holds a bachelor’s in criminal justice from the University of North Georgia and a GCFE certification.