Evolve Bank & Trust (Evolve) is sending notices of a data breach to 7.6 million Americans whose data was stolen during a recent LockBit ransomware attack.
In June, LockBit published false claims that it breached the U.S. Federal Reserve. It was later determined that the leaked data actually belonged to Evolve Bank & Trust.
Evolve confirmed to BleepingComputer that the data belonged to them and launched an investigation to determine the scope and extent of the data breach.
The investigation revealed that an employee clicked on a malicious link, which resulted in a Lockbit member gaining unauthorized access to Evolve’s database and file shares, which the attacker downloaded.
Evolve said customer funds remained safe but noted that the attack had impacted several fintech customers. Affirm, Wise, and Bilt independently confirmed that the Lockbit attack at Evolve impacted their customers.
As promised in Evolve’s latest status update, the company has begun sending data breach notifications to people whose personal information was stolen during the attack. In a filing with the Office of the Maine Attorney General, Evolve says that 7,640,112 people were impacted by the breach.
“On May 29, 2024, Evolve identified that some of its systems were not working properly,” reads the notice sent to affected individuals.
“While it initially appeared to be a hardware failure, we subsequently learned it was unauthorized activity.”
Although the compromise was discovered on May 29, the data breach notification says the initial breach occurred on February 09, 2024, giving the attackers nearly four months of dwell time in Evolve’s network.
Evolve is now offering two years of credit monitoring and identity protection services for U.S. residents and dark web monitoring services for international residents. Recipients must enroll by October 31, 2024.
Evolve has not included what types of data were exposed in the sample letter it submitted to the authorities so that part remains unknown.
Those impacted are advised to be vigilant against unsolicited communications, closely monitor their account statements and credit history, and report suspicious activity to the authorities.
Evolve has active partnerships with other entities, including Shopify, Stripe, and Mercury, but those companies have not yet disclosed whether the Lockbit ransomware incident impacted them.
Shopify recently denied it suffered a data breach after a threat actor attempted to sell the alleged data of 180,000 users of the e-commerce platform.
The shared data samples include full names, email addresses, telephone numbers, order details, and Shopify account details.
The company stated to BleepingComputer that the reported data loss was caused by a third-party app that will soon notify affected customers.
