‘Buy now, pay later’ payment specialist Affirm has warned that holders of its payment cards had their personal information exposed after a ransomware attack and data breach at Evolve Bank & Trust.

In a form 8-K, submitted to the Securities and Exchange Commission (SEC), Affirm states:

“Because the Company [Affirm Holdings, Inc] shares the Personal Information of Affirm Card users with Evolve to facilitate the issuance and servicing of Affirm Cards, the Company believes that the Personal Information of Affirm Card users was compromised as part of Evolve’s cybersecurity incident.”

According to Evolve, the attack started after “an employee inadvertently clicked on a malicious internet link.” Evolve refused to pay the ransom, and so the attackers leaked the data they downloaded.

Affirm isn’t the only fintech company affected by the Evolve breach. Business bank Mercury also notified customers that the data stolen from Evolve Bank & Trust included some account numbers, deposit balances, business owner names, and emails associated with Mercury and other fintech accounts.

“Affected Mercury customers have been notified of the breach and the preventative steps we are taking to keep customer funds secure.”

Money transfer service and payment platform builder Wise also published a statement on its website, informing customers it had shared full names, addresses, contact details, Social Security numbers, and other sensitive information with Evolve as part of a partnership between 2020 and 2023.

So, it’s entirely possible that other financials may come forward with similar notifications. Reportedly, Evolve has active partnerships with multiple fintech companies, including Shopify, Bilt, Plaid, and Stripe.

Keep your eyes and ears open and be wary of phishing attempts related to these breaches.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

Affirm Holdings, a prominent U.S. financial technology firm, announced that the personal information of Affirm card users may have been compromised due to a cybersecurity incident at Arkansas-based Evolve Bank and Trust. This Evolve Bank data breach, which occurred last week, involved the illegal release of customer data on the dark web. Evolve Bank, a third-party issuer of Affirm cards, revealed it was the target of a significant cybersecurity attack. Affirm has reassured its customers that its systems remain secure, and Affirm cardholders can continue to use their cards without interruption. However, the company has acknowledged that the breach involved shared personal information used to facilitate card issuance and servicing. In a statement, Affirm's spokesperson highlighted, "Affirm is aware of a cybersecurity incident involving Evolve, a third party vendor that serves as an issuing partner on the Affirm Card. We are actively investigating the issue. We will communicate directly with any impacted consumers as we learn more."

LockBit Blamed for Evolve Bank Data Breach

Evolve Bank disclosed that the incident was a ransomware attack perpetrated by the criminal organization LockBit. "This was a ransomware attack by the criminal organization, LockBit," reads Evolve Bank's official statement. The ransomware attack involved unauthorized access to the bank’s systems, resulting in the download and subsequent leak of sensitive customer information. This Evolve Bank data breach occurred in two phases, in February and May when an employee inadvertently clicked on a malicious internet link. "They appear to have gained access to our systems when an employee inadvertently clicked on a malicious internet link. There is no evidence that the criminals accessed any customer funds, but it appears they did access and download customer information from our databases and a file share during periods in February and May," said Evolve Bank. Further, the Bank disclosed that the threat actor also encrypted some data within its environment. However, the Bank had backups available and experienced limited data loss and impact on its operations. Moreover, Evolve Bank confirmed that they have refused to pay the ransom demand because of which LockBit has leaked the data they downloaded. "The threat actor also encrypted some data within our environment. However, we have backups available and experienced limited data loss and impact on our operations. We refused to pay the ransom demanded by the threat actor. As a result, they leaked the data they downloaded. They also mistakenly attributed the source of the data to the Federal Reserve Bank," inform Evolve Bank.

Incident Details and Evolve Bank’s Response

Evolve Bank provided a comprehensive update on the data breach. The bank identified unusual system behavior in late May 2024, initially suspected to be a hardware failure but later confirmed as unauthorized activity. Cybersecurity specialists were engaged, and Evolve promptly initiated its incident response protocols, successfully halting the attack by May 31, 2024. The attack did not compromise customer funds, but sensitive data was accessed and downloaded from the bank’s databases. "At this time, we have evidence that files were downloaded from our systems," informed Bank. This included names, Social Security numbers, bank account numbers, and contact information of personal banking customers and partners, including Affirm card users. Additionally, personal information related to Evolve employees was likely impacted. "We have now learned that personal information relating to our employees was also likely impacted. We are still investigating what other personal information was affected, including information regarding our Business, Trust, and Mortgage customers," reads the official statement of Evolve Bank. Evolve Bank has undertaken several measures to enhance security and prevent future incidents:

• Global password resets.
• Reconstructing critical Identity Access Management components, including Active Directory.
• Hardening of firewall and dynamic security appliances.
• Deploying endpoint detection and response tools.

The bank is also strengthening its security response protocols, policies, and procedures to improve detection and response to suspected incidents.

Impact on Affirm Card Users and Future Actions

Affirm cardholders whose data may have been compromised will be directly notified. "The incident may have compromised some data and personal information Evolve had on record. If you do not have an Affirm Card, the incident does not impact you. If you do have an Affirm Card, we’re still investigating and we will have your back," said Affirm official statement. Evolve Bank is offering affected individuals two years of free credit monitoring and identity theft protection. Notifications will begin via email on July 8, 2024, including details about a dedicated call center for assistance and enrollment in credit monitoring services. Evolve Bank urges all affected customers to remain vigilant by monitoring their account activity and credit reports. The bank provided resources for setting up fraud alerts with nationwide credit bureaus (Equifax, Experian, and TransUnion) and obtaining free credit reports. Customers suspecting identity theft or fraud are encouraged to file reports with the Federal Trade Commission (FTC) or local law enforcement. Evolve Bank stated, "We appreciate your patience and understanding as we navigate this challenging situation. Your trust is of utmost importance to us, and we are committed to transparency."