- Evolve Bank’s data breach by Lockbit exposed 33 TB of sensitive user data from 155,586 accounts linked to major fintech firms.
- The breach, discovered in May, affected PII such as SSNs, account balances, and emails, but users were notified a month later.
- Evolve Bank’s delayed notification and non-payment of ransom raised concerns about its data protection and incident response.
Evolve Bank and Trust, which is friendly to crypto, recently reported a big data breach caused by the Russian ransomware group Lockbit. The breach stole 33 terabytes of sensitive user data. A month ago, an employee clicked on a bad link, compromising the bank’s systems.
The stolen data includes personal details like names, addresses, social security and tax ID numbers, birth dates, account balances, and email addresses as noted by Wu Blockchain. This breach impacts 155,586 accounts connected to Bitfinex, Nomad, Copper, and other companies. Although Evolve Bank discovered the breach in late May, they only told affected users last week.
The ransomware attack caused some of Evolve Bank’s systems to malfunction due to unauthorized activity. The bank claims it managed to halt the attack within a few days and has not detected any further unauthorized activity since May 31. Evolve Bank did not pay the ransom demand, and the Lockbit group mistakenly attributed the data to the Federal Reserve.
This delay in notification has raised concerns within the industry. According to Fintech Business Weekly (FBW) reporter Jason Mikula, Evolve Bank did not inform impacted fintech companies or their users until the breach became public. An industry source highlighted the unprecedented scale of the breach, stating, “I can’t think of a data breach with this much PII and consumer and commercial financial data that then is publicly available.”
Mikula, who reported on the breach, received a cease-and-desist email from Evolve Bank. He clarified that his intent was never to share sensitive PII in his reporting. An anonymous executive affected by the Evolve hack reportedly reached out to Mikula for the leaked files, as they had not received confirmation from the bank.
Evolve Bank’s handling of the breach has sparked criticism. The late notification to users and impacted companies has been a point of contention. While the bank claims to have taken steps to secure its systems and prevent further unauthorized access, the extent of the exposed data and the delay in communication have raised questions about the bank’s incident response and data protection practices.
This incident highlights weaknesses in digital banking and the big impact of cyberattacks on banks and their customers. The Evolve Bank breach shows the need for strong cybersecurity and quick communication during a data breach.
DISCLAIMER: The information on this website is provided as general market commentary and does not constitute investment advice. We encourage you to do your own research before investing.