On Wednesday, Evolve Bank and Trust, a financial institution popular with fintech startups, announced that it was the victim of a cyber attack and data breach that could affect its partner companies as well.
The happening, according to the company’s announcementconcerned “the data and personal information of certain Evolve retail bank customers and financial technology partner customers.”
When reached by TechCrunch, Evolve’s communications manager Thomas Holmes said the incident involved “a known cybercriminal organization.”
“It appears that these bad actors have illegally released data to the dark web,” Holmes said, declining to comment further.
The cybercriminals responsible for the breach appear to be the notorious LockBit ransomware gang, which posted data allegedly stolen from Evolve on its leaked dark web site.
Evolution of lists a number of companies on its website as partners relying on the banking giant to offer some of their financial and lending services. To understand the impact of the Evolve breach on these companies, TechCrunch reached out to Affirm, Airwallex, Alloy, Bond, Branch, Dave, EarnIn, Marqeta, Mastercard, Melio, Mercury, Prizepool, Step, Stripe, Tabapay and Visa .
None of the companies except Affirm, EarnIn, Marqeta and Melio responded to a request for comment.
Contact us
Do you have more information about the Evolve breach and how it affects partner companies? From a non-working device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382 or via Telegram, Keybase and Wire @lorenzofb or via email. You can also contact TechCrunch via SecureDrop.
Affirm spokesman Matt Gross told TechCrunch that the company is investigating the incident and “will be contacting any affected consumers directly as we learn more.”
Also confirm notified its customers in a post on X, writing that the Evolve breach “may have compromised some data and personal information” of Affirm customers. The company also said it is safe to use its card and money accounts and that its investigation into the impact of the breach is still ongoing.
EarnIn spokeswoman Stephanie Borman said the company is “aware of this incident and is following it closely.”
Marqeta spokeswoman Kelly Kraft told TechCrunch that the company is aware of the breach and that “Evolve supports a small portion of our overall business.”
“Our customers affected by this incident have been notified and we are working closely with Evolve to understand the recovery effort and how our mutual customers may be affected,” Kraft said in an email.
Melio co-founder and CEO Matan Bar told TechCrunch that the company is aware of the breach and is “working diligently with them to determine if Melio or any of our customers were affected by it. We will keep our customers updated with any relevant information as we learn more. There were no interruptions to Melio’s operations as a result of this incident.”
Another Evolve partner, fintech startup Mercury, told X that the Evolve breach affected records related to the company, “including certain account numbers, deposit balances, business owner names and emails.”
As more affected companies emerge, the true impact of the Evolve breach on “certain retail bank customers and customers of Evolve’s financial technology partners” — as the company put it — will likely become clearer.
Evolve has made headlines recently for other issues related to its fintech partnerships. On June 14, the Federal Reserve ordered Evolve Bank to “strengthen risk management programs related to fintech partnerships as well as anti-money laundering laws.”
According to a statement by the Fedexaminations conducted in 2023 found that Evolve “engaged in risky and unsound banking practices by failing to have an effective risk management framework in place for these partnerships” with fintech companies.
The bank has also been associated with the collapse of banking-as-a-service startup Synapse, which provided a service that allowed others – mainly fintechs – to integrate banking services into their offerings. When Synapse filed for bankruptcy this year and an attempted buyout of its assets by TabaPay failed, the company blamed its partner bank, Evolve — a saga that continues to play out.
This story has been updated to include comments from Marqeta and Melio.
