Evolve Bank Cybersecurity Breach by Russian Ransomware Reveals Financial Sector Vulnerabilities

Clear Facts

• A recent cybersecurity incident at Evolve Bank and Trust, involving Russian ransomware group LockBit, led to the theft of an unspecified amount of customer information.
• The stolen data includes details of customers from both Evolve Bank and its partner FinTech companies.
• This breach, one of the most significant in recent years, has exposed the risks associated with customer identification regulations and the high volume of personal data collected as per federal laws.

The public disclosure of a major bank breach has ignited important discussions about data protection and the possible pitfalls of strict customer identification regulations. Two weeks ago, Arkansas’ Evolve Bank and Trust announced a “cybersecurity incident” on their website. This incident involved the infamous Russian ransomware group, LockBit, which culminated in the theft of customer information.

“The hacker group, a long-time target of international law enforcement operations, had originally claimed the hack was of the Federal Reserve, raising eyebrows among financial sectors.”

However, as revealed on the group’s dark web platform, the stolen data actually belongs to customers of Evolve Bank and Trust and their FinTech partners. This data reportedly comprises customer names, Social Security numbers, birth dates, and scans of driver’s licenses and IDs.

The situation is particularly worrying because of Evolve Bank’s strategic role as a connection between traditional banking and emerging FinTech startups. This breach could potentially have far-ranging implications. Several prominent financial services firms, including Wise, Mercury, Stripe, and Affirm, among others, have already informed their customers about the potential exposure of their information.

The issue becomes even more complicated given the imminent bankruptcy of Synapse, a banking provider serving as a link between FinTech firms and traditional banks like Evolve. The recent hack will undoubtedly exacerbate this situation.

“Two factors make the alleged Evolve hack particularly devastating.”

The first factor relates to the size and scope of the companies affected. Evolve’s banking license allowed numerous FinTech partners to issue financial accounts, including some of the largest institutions in the country, serving hundreds of millions of Americans.

Secondly, federal laws such as the Bank Secrecy Act, the PATRIOT Act, the FDIC Customer Identification Program, Dodd-Frank Act, or the newly passed Corporate Transparency Act, all require customers to disclose extensive data. This data is then stored by banks and financial institutions to help combat crime.

As breach victims have already reported phishing scams, there’s concern that the information may end up in the wrong hands. Evolve Bank’s reaction to the writer Jason Mikula, who received a cease-and-desist letter for reporting on the breach, has also drawn attention.

This significant data breach serves as a harsh reminder of the challenges posed by customer identification regulations and the potential risks of collecting excessive personal data.

“Common-sense rules encouraging encryption, punishing bad actors, and reducing data collection could play a significant role in safeguarding consumers from future harm.”

Instead of focusing on amassing more information to combat crime, it’s time we question whether current laws are potentially putting us at greater risk.

Let us know what you think, please share your thoughts in the comments below.

Source