On Wednesday, Evolve Bank and Trust, a financial institution known for fintech startups, announced that it had been the victim of a cyber attack and data breach that may have also affected its partner companies.
The incident, according to the company’s statement, involved “data and personal information of certain Evolve retail banking customers and financial technology partner customers.”
When reached by TechCrunch, Evolve’s chief communications officer Thomas Holmes said the incident involved “a known cybercriminal organization.”
“It appears that these bad actors have released illegally obtained data on the dark web,” Holmes said, declining to comment further.
The cybercriminals responsible for the breach appear to be the notorious LockBit ransomware gang, which posted data allegedly stolen from Evolve on its dark web leak site.
Evolve lists a number of companies on its site as partners that rely on the banking giant to provide some of their financial and lending services. To understand the impact of the Evolve breach on these companies, TechCrunch reached out to Affirm, Airwallex, Alloy, Bond, Branch, Dave, EarnIn, Marqeta, Mastercard, Melio, Mercury, PrizePool, Step, Stripe, TabaPay and Visa.
Only Affirm, EarnIn, Marqeta and Melio responded to a request for comment.
Contact us
Do you have more information about the Evolve breach and how it is affecting partner companies? From a broken device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email. You can also contact TechCrunch through SecureDrop.
Afirm spokesperson Matt Gross told TechCrunch that the company is investigating the incident and will “communicate directly with any affected consumers as we learn more.”
Affirm also warned its customers in a post on X, writing that the Evolve breach “may have compromised some data and personal information” of Affirm customers. The company also said it is safe to use its card and money accounts and that its investigation into the impact of the breach is still ongoing.
EarnIn spokeswoman Stephanie Borman said the company is “aware of this incident and is monitoring it closely.”
Marqeta spokeswoman Kelly Kraft told TechCrunch that the company is aware of the breach and that “Evolve supports a small portion of our overall business.”
“Our customers affected by this incident have been notified and we are working closely with Evolve to understand their remediation efforts and how our mutual customers may be affected,” Kraft said in an email.
Melio co-founder and CEO Matan Bar told TechCrunch that the company is aware of the breach and “working diligently with them to determine if Melio or any of our customers were affected by it. We will keep our customers informed with any relevant information as we learn more. There has been no disruption to Melio’s operations as a result of this incident.”
Another Evolve partner, fintech startup Mercury, told X that the Evolve breach affected data associated with the company, “including some account numbers, deposit balances, business owner names and emails.”
As more affected companies emerge, the true impact of the Evolve breach on “certain retail banking customers and customers of Evolve’s financial technology partners” — as the company put it — will likely become clearer.
Evolve has made headlines recently for other issues related to its fintech partnerships. On June 14, the Federal Reserve ordered Evolve Bank to “strengthen its risk management programs around fintech partnerships as well as anti-money laundering laws.”
According to a statement from the Fed, examinations conducted in 2023 found that Evolve “engaged in unsafe and unsafe banking practices by failing to establish an effective risk management framework for those partnerships” with financial technology companies.
The bank has also been associated with the merger of banking-as-a-service startup Synapse, which offered a service that enabled others – mainly fintechs – to integrate banking services into their offerings. When Synapse filed for bankruptcy this year and an attempt to salvage its assets from TabaPay failed, the company blamed its partner bank, Evolve — a saga that continues to play out.
This story was updated to include comments from Marqeta and Melio.