On Wednesday, Evolve Bank and Trust, a well-known financial institution among fintech startups, revealed it had suffered a cyberattack and data breach, potentially impacting its partner companies.
The company’s statement indicated that the breach involved “the data and personal information of some Evolve retail bank customers and financial technology partners’ customers.”
Thomas Holmes, Evolve’s communications chief, confirmed to TechCrunch that the incident involved “a known cybercriminal organization,” adding that “these bad actors have released illegally obtained data on the dark web,” but declined to provide further details.
The breach appears to be linked to the infamous ransomware gang LockBit, which has posted allegedly stolen data from Evolve on its dark web leak site.
Evolve’s website lists numerous partner companies that rely on its services for financial and lending operations. To gauge the breach’s impact, TechCrunch contacted several of these partners, including Affirm, Airwallex, Alloy, Bond, Branch, Dave, EarnIn, Marqeta, Mastercard, Melio, Mercury, PrizePool, Step, Stripe, TabaPay, and Visa.
Only Affirm, EarnIn, Marqeta, and Melio responded.
Affirm spokesperson Matt Gross stated that the company is investigating the incident and will inform any affected consumers as they gather more information. Affirm also posted on X, alerting customers that the breach “may have compromised some data and personal information,” and reassured that using its card and Money Accounts remains safe.
EarnIn spokesperson Stephanie Borman acknowledged the incident and mentioned the company is monitoring it closely.
Marqeta spokesperson Kelly Kraft confirmed awareness of the breach, noting that Evolve supports a small part of their overall business. Kraft assured that affected customers have been notified and that they are collaborating with Evolve to understand the impact.
Melio CEO Matan Bar reported that the company is working with Evolve to determine any potential impact on Melio or its customers and will keep them informed.
Another partner, Mercury, disclosed on X that the breach affected records including account numbers, deposit balances, business owner names, and emails.
As more companies reveal the breach’s impact, the full extent of the incident on “some Evolve retail bank customers and financial technology partners’ customers” will become clearer.
Recently, Evolve has been under scrutiny for its fintech partnerships. On June 14, the Federal Reserve ordered Evolve to improve its risk management programs related to fintech partnerships and anti-money laundering laws, following examinations that identified unsafe banking practices.
Evolve has also been linked to the collapse of the banking-as-a-service startup Synapse, which faced bankruptcy this year. Synapse blamed its partner bank, Evolve, for the collapse, a situation still unfolding.
This story was updated to include comments from Marqeta and Melio.
