Affirm, a leading "buy now, pay later" fintech company, has alerted its cardholders to a data breach involving its third-party issuer, Evolve Bank & Trust (Evolve). This incident has resulted in the exposure of personal information of Affirm's payment card users.
Affirm is known for offering consumer-friendly alternatives to traditional credit, including point-of-sale financing and virtual cards accessible through a mobile app. One of its flagship products is the 'Affirm Card,' a fully integrated physical card. Evolve, a prominent financial services provider, specialises in retail and commercial banking, payment processing, and banking-as-a-service (BaaS). It collaborates with numerous fintech companies such as Shopify, Bilt, Plaid, Stripe, and Mercury to support their banking backend services, including card issuance, deposit management, and loan facilitation.
In June, the ransomware group LockBit erroneously claimed to have breached the US Federal Reserve and stolen 33 TB of data. Subsequent analysis revealed that the data was actually stolen from Evolve Bank & Trust. Evolve confirmed to BleepingComputer that the compromised data belonged to them.
"Evolve is currently investigating a cyber security incident involving a known cyber criminal organisation. It appears these bad actors have released illegally obtained data on the dark web," an Evolve spokesperson told BleepingComputer.
Affirm Affected by Evolve Bank Cyber security Breach
In an update, Evolve stated it has taken measures to address the breach, including global password resets, reconstruction of critical Identity Access Management components like Active Directory, and various network hardening efforts. The stolen data reportedly includes names, Social Security Numbers (SSNs), bank account numbers, and contact information.
Affirm, one of Evolve's clients, is now informing its customers that their personal and financial information might have been compromised due to the Evolve data breach. Affirm's partnership with Evolve necessitates the sharing of customer data for issuing Affirm Cards. As part of this breach, Affirm believes the personal information of its cardholders was exposed.
"On June 25, 2024, Evolve Bank & Trust ('Evolve'), the third-party issuer of the Affirm Card, notified Affirm that Evolve had experienced a cyber security incident whereby a third party gained unauthorised access to personal information and financial information of Evolve retail banking customers and the customers of its financial technology partners," reads an 8-K filing by Affirm.
Evolve assured Affirm that the cyber security incident has been contained, although the investigation into the scope and extent of the unauthorised access is ongoing. Affirm advises users to remain vigilant for suspicious activity but assures them that normal transactions can continue.
Broader Impact on Fintech Firms
The Evolve data breach has also affected other fintech firms in the US, including Wise and Bilt. Wise informed its customers that sensitive information, such as full names, addresses, contact details, and Social Security numbers, had been shared with Evolve as part of a partnership from 2020 to 2023. Wise reassured customers about the security of their accounts but recommended heightened vigilance against potential phishing attacks.
Similarly, Bilt notified its customers about the potential compromise of sensitive information due to its partnership with Evolve. A Bilt employee confirmed on Reddit that there is no clear evidence yet of actual exposure of their customers' data. Bilt reassured users that their accounts remain secure and that the platform's operations are unaffected.
Evolve has committed to emailing individual notifications to all persons confirmed to have been impacted by the incident by July 8, 2024. Given the severity of the breach, it is expected that more fintech companies might disclose potential data breaches as the investigation progresses.
This incident underscores the critical need for robust cyber security measures and heightened vigilance in the fintech sector. Affirm and other affected companies continue to monitor the situation and implement necessary safeguards to protect their customers' information.
