Evolve Confirms Ransomware Hack as Challenges Grow at FinTech Partner Bank

ransomware attack

It’s been a bad month for Evolve Bank & Trust, and it’s only getting worse.

Following a “cease and desist” order issued to the bank on June 14, the Arkansas-based lender on Wednesday (June 26) publicly confirmed the news that a ransomware gang had hacked the bank and was posting customer data on the dark web.

“Bad actors have released illegally obtained data, including Personal Identification Information (PII), on the dark web. The data varies by individual but may include your name, Social Security Number, date of birth, account information and/or other personal information,” Evolve said in a statement, echoing comments a spokesperson shared earlier with PYMNTS.

The ransomware gang behind the attack is believed to be Russian-linked cybercriminal group LockBit 3.0.

The criminal attack comes less than two weeks after Evolve’s risk management program came under Fed scrutiny, and the ransomware attack’s ongoing fallout is happening as Evolve itself remains locked up in the bankruptcy case with Synapse, whose own thousands of end-customer funds remain inaccessible while their sensitive data is now flowing free.

The scope of the breach and the data being released could impact nearly the entire FinTech landscape beyond just the users of Evolve’s banking-as-a-service (BaaS) program partners, which include Affirm, Stripe, Mercury, Airwallex, Alloy, Bond (now part of FIS), Branch, Dave, EarnIn, TabaPay and others — along with their own customers, or anyone who has sent a payment to or received a payment from them.

Affirm on Wednesday night (June 26) confirmed that its card product was impacted by the Evolve hack.

This remains a developing story.

Read more: FinTech Banking Partner Evolve Bancorp Hit by Major Ransomware Attack

Ransomware Is a Real Issue in Financial Services

The theft of know your customer (KYC) data and alleged images of identity credentials means that the impact of the attack on Evolve could spread well-beyond just the lender’s BaaS program to affect the broader financial sector, particularly external stakeholders with demand deposit accounts (DDAs) at Evolve.

Lockbit 3.0, the hacking group alleged to be behind the Evolve data breach, is one of the most notorious criminal groups across the cybersecurity space.

Just last month (May 7),the U.S. Justice Department (DOJ) unsealed charges against a Russian national for his alleged role as the creator, developer and administrator of the LockBit ransomware group “from its inception in September 2019 through the present.”

“The LockBit ransomware group represented one of the most prolific ransomware variants across the globe, causing billions of dollars in losses and wreaking havoc on critical infrastructure, including schools and hospitals,” said FBI Director Christopher Wray in a statement.

As PYMNTS has reported, the FBI’s latest annual internet crime report, released this spring, revealed that U.S. financial damages due to ransomware attacks alone rose 74% in 2023.

“We’ve always had social engineering attacks, but with the advent of AI, it’s much easier to create a bot that will have a credible conversation with a victim and convince many victims at the same time to share their credentials, transfer money, and do other things that they wouldn’t normally do,” Maciej Pitucha, VP of product and data at Mangopay, told PYMNTS.

“Data is usually the answer. … Building a successful fraud prevention solution requires lots of data, lots of expertise,” Pitucha added.

Read moreScaling Effective Cyber Hygiene Throughout Your Business

Future Proofing the Cyber Risk Landscape

The Evolve attack is happening at the tail end of a month that has seen several high-profile cyberattacks. These include the “significant volume of data” stolen from at least 165 customers of multi-cloud data warehousing platform Snowflake, as well as an attack on car dealership software provider CDK.

Particularly for small and medium-sized businesses (SMBs) that may have modest or no cybersecurity plans in place, these attacks can be devastating. And, typically, smaller banks — like Evolve — often don’t have the IT security budget of their larger peers. This can be seen in the shortcomings found by the Federal Reserve and the Arkansas State Bank Department during their investigation into Evolve’s oversight of partnerships with FinTech companies and anti-money laundering requirements.

And the importance of BaaS best practices is rising to the forefront against a backdrop where, according to PYMNTS Intelligence, roughly two-thirds of banks and credit unions have entered into at least one FinTech partnership in the past three years, with 76% of banks viewing FinTech partnerships as necessary to meeting customer expectations.