Pierluigi Paganini July 09, 2024

The Lockbit ransomware attack on Evolve Bank has compromised the personal information of over 7.6 million individuals.

At the end of June, the LockBit gang announced that it had breached the systems of the Federal Reserve of the United States and exfiltrated 33 TB of sensitive data, including “Americans’ banking secrets.”

Despite the announcement, data leaked data from the group belongs to the Arkansas-based financial organization Evolve Bank & Trust.

The analysis of the data leaked by the LockBit group on its Tor leak site on June 26 confirmed the documents belong to the Evolve Bank & Trust.

Evolve Bank & Trust published a notice on its website to confirm the security breach and announced it has launched an investigation into the incident. The financial organization confirmed that certain personal information may have been compromised. The financial organization refused to pay the ransom and the gang leaked the stolen data.

“Evolve Bank & Trust is making retail bank customers and financial technology partners’ customers (end users) aware of a cybersecurity incident that may involve certain personal information, as well as the actions we have taken in response, and additional steps individuals may take.” reads the notice of Cybersecurity Incident. “Evolve is currently investigating a cybersecurity incident involving a known cybercriminal organization that appears to have illegally obtained and released on the dark web the data and personal information of some Evolve retail bank customers and financial technology partners’ customers (end users). We take this matter extremely seriously and are working diligently to address the situation.”

Evolve has reported the incident to law enforcement, it also added that the incident has been completely contained.

An update published on June 26, 2024 12:00pm confirmed that the company’s retail banking customers’ debit cards, online, and digital banking credentials do not appear to be impacted.

Now Evolve Bank & Trust started notifying more than 7.6 million individuals. According to a data breach notification filed with the Office of the Maine Attorney General, the security breach impacted 7,640,112 individuals.

Evolve has identified no new unauthorized activity on its network since May 31.

“On May 29, 2024, Evolve identified that some of its systems were not working properly. While it initially appeared to be a hardware failure, we subsequently learned it was unauthorized activity. Evolve promptly initiated its incident response processes and stopped the attack. No new unauthorized activity on Evolve’s systems has been identified since May 31, 2024.” reads the data breach notification. “An investigation with assistance from a cybersecurity firm was initiated to investigate what happened and what data may have been impacted. Evolve also notified law enforcement and worked to add further protections to harden its systems. What personal information was involved? There is no evidence that the threat actors accessed any customer funds, but it appears the threat actors did access and download customer information”

Last week, Fintech firms Wise and Affirm confirmed they were both impacted by the Evolve Bank security breach.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, ransomware)