Startups scramble to assess fallout from Evolve Bank data breach
On Wednesday, Evolve Bank and Trust, a financial institution thatâs popular with fintech startups, announced that it had been victim of a cyberattack and data breach that could have affected its partner companies as well. Â
The incident, according to the companyâs statement, involved âthe data and personal information of some Evolve retail bank customers and financial technology partnersâ customers.âÂ
When reached by TechCrunch, Evolveâs communications chief Thomas Holmes said that the incident involves âa known cybercriminal organization.â
âIt appears these bad actors have released illegally obtained data, on the dark web,â said Holmes, declining to comment further.
The cybercriminals responsible for the breach appear to be the notorious ransomware gang LockBit, which posted data allegedly stolen from Evolve on its dark web leak site.Â
Evolve lists a series of companies on its site as partners that rely on the banking giant to offer some of their financial and lending services. To understand the impact of the Evolve breach on these companies, TechCrunch reached out to Affirm, Airwallex, Alloy, Bond, Branch, Dave, EarnIn, Marqeta, Mastercard, Melio, Mercury, Prizepool, Step, Stripe, Tabapay, and Visa.Â
None of the companies, except for Affirm and EarnIn, responded to the request for comment.Â
Contact Us
Do you have more information about the Evolve breach and how itâs impacting partner companies? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
Affirm spokesperson Matt Gross told TechCrunch that the company is investigating the incident and âwill communicate directly with any impacted consumers as we learn more.â
Affirm also alerted its customers in a post on X, writing that the Evolve breach âmay have compromised some data and personal informationâ of Affirm customers. The company also said that itâs safe to use its card and Money Accounts, and that its investigation into the impact of the breach is still ongoing.Â
EarnIn spokesperson Stephanie Borman said that the company is âaware of this incident and monitoring it closely.â
Another Evolve partner, the fintech startup Mercury, said on X that the Evolve breach impacted records associated with the company, âincluding some account numbers, deposit balances, business owner names, and emails.âÂ
As more affected companies come forward, the true impact of the Evolve breach on âsome Evolve retail bank customers and financial technology partnersâ customersâ â as the company put it â will likely become clearer.Â
Evolve has made headlines recently for other matters related to its fintech partnerships. On June 14, the Federal Reserve ordered Evolve Bank âto bolster its risk management programs around fintech partnerships as well as anti-money laundering laws.â According to a statement by the Fed, examinations conducted in 2023 found that Evolve âengaged in unsafe and unsound banking practices by failing to have in place an effective risk management framework for those partnershipsâ with financial technology companies.
The bank has also been associated with the meltdown of banking-as-a-service startup Synapse, which provided a service that allowed others â mainly fintechs â to embed banking services into their offerings. When Synapse filed for bankruptcy this year and an attempted rescue acquisition of its assets by TabaPay fell through, the company pointed blame at its partner bank, Evolve â a saga that continues to play out.