Evolve Bank & Trust has distributed notification letters about the recent data breach it suffered. According to the notices, the data breach has affected over 7.6 million Americans whose data was stolen during a recent LockBit ransomware attack.
Last month, LockBit published false claims that it breached the U.S. Federal Reserve, but it was later confirmed that the leaked data actually belonged to the earlier-mentioned financial institution. This revelation has prompted Evolve to verify and confirm the claims that the stolen data belonged to them.
After confirming, the financial entity also disclosed that it already launched an investigation to determine the scope and extent of the data breach.
Evolve Bank explained that the ransomware attack was caused by an employee accessing a malicious link.
After becoming aware of the ransomware actors’ claim, Evolve Bank conducted an initial investigation. The investigation revealed that one of the company’s employees clicked on a malicious link, which resulted in a Lockbit member acquiring unauthorised access to Evolve’s database and file shares, which the attacker downloaded.
Evolve insisted that its customer funds remained safe but noted that the attack had impacted several fintech customers. In a filing with the Office of the Maine Attorney General, Evolve says the breach impacted 7,640,112 individuals.
The notification letters also revealed that on May 29, 2024, Evolve identified that some of its systems were not working properly. The explanation continued by stating that the company initially thought that the system’s unusual behaviour was caused by a hardware failure, which they subsequently learned was due to unauthorised activity.
Furthermore, although the compromise was discovered on May 29, the data breach notification says the initial breach happened on February 2024, giving the attackers a four-month head start in compromising Evolve’s network.
The letter does not include what types of data were exposed during the incident, so its information is still incomplete.
Evolve Bank is offering two-year free credit monitoring and identity protection services for U.S. residents and dark web monitoring services for international residents. However, notification letter recipients could only enrol in the service until October 31, 2024.