Evolve data breach impacted upward of 7.64 million consumers

The number of persons affected by a recent data breach at Evolve Bank & Trust exceeds 7.64 million, a document submitted to the Office of the Maine Attorney General this week by the law firm representing the financial services organization reveals.

According to the document, the breach occurred on February 9, but was not discovered until May 29. In a letter sent to its customers and released on Monday, the firm, which is headquartered in Memphis, Tennessee, said it “identified that some of its systems were not working properly. While it initially appeared to be a hardware failure, we subsequently learned it was unauthorized activity.”

There is, Evolve said, “no evidence that the threat actors accessed any customer funds, but it appears (they) did access and download customer information from (our) databases and a file share during periods in February and May 2024.”

“We are still investigating what other personal information was affected, including information regarding our Business, Trust and Mortgage customers,” it added.

In a post on the bank’s website, it said that the ransomware attack was carried out by the LockBit organization. LockBit ransomware-as-a-service (RaaS) was launched in 2019, and in May, the suspected creator and administrator was indicted in the US on more than two dozen criminal charges.

The post further states, “they appear to have gained access to our systems when an employee inadvertently clicked on a malicious internet link. The threat actor also encrypted some data within our environment. However, we have backups available and experienced limited data loss and impact on our systems.”

Evolve said it refused to pay the ransom demanded by the threat actor, and said,  “As a result, they leaked the data they downloaded. They also mistakenly attributed the source of the data to the Federal Reserve Bank.”

Since becoming aware of the incident, it said it has taken the following steps to “enhance existing controls and further secure our environment”:  Resetting passwords globally, reconstructing critical Identity Access Management components, including Active Directory, further hardening of firewall and dynamic security appliances, and deploying endpoint detection and response and other security tools to harden the network.

“We are in the process of further strengthening our security response protocols, policies and procedures, and our ability to detect and respond to suspected incidents,” Evolve stated.

It said, “it appears that names, Social Security numbers, bank account numbers and contact information were affected for most of our personal banking customers, as well as customers of our Open Banking partners. We have now learned that personal information relating our employees was also likely impacted.”

In the letter sent Monday, the bank gave customers free access for two years to an identity theft protection service, and said a dedicated call center had been set up to answer any questions about the incident.

More data breach news:

• Hackers steal data of 200k Lulu customers in an alleged breach
• Japan aerospace agency provides details of October data breach
• Mobile surveillance software firm mSpy suffers data breach