Evolve Bank & Trust customer data was breached, the company confirmed in a statement on its website on Wednesday.
“It appears that a known cybercrime organisation has illegally obtained data and personal information of some Evolve customers and published it on the dark web,” the bank said. In an update, Evolve said that debit card, online and digital banking credentials of its retail banking customers were not affected.
Evolve did not name the hacking group, but Bloomberg reported on Wednesday: LockBit 3.0 posted data obtained from Evolve’s system. It was released on the dark web the day before.
Affected information “may include names, account numbers, email addresses, mailing addresses, phone numbers, and Social Security numbers.” [and] “Date of Birth,” Evolve said in a statement.
The bank said it was contacting affected customers by email and letter and was offering free credit monitoring with identity theft protection, without disclosing how many customers were affected.
Evolve Bank said it is in contact with law enforcement to assist in the investigation into the matter.
The bank also advised customers to “continue to closely monitor their accounts for suspicious activity over the next 12 to 24 months.”
The incident comes less than two weeks after Evolve faced enforcement action from the Federal Reserve. Deficiencies in banks’ anti-money laundering, risk management and consumer compliance programs.
A regulator’s inspection in August 2023 found that the bank lacked an “effective risk management framework” when it came to partnering with fintechs.Evolve is one of several bank partners caught up in the bankruptcy proceedings of fintech middleware company Synapse, though the Fed stressed this month that its order is unrelated to Synapse’s problems.
Involving regulators
In the Synapse case, Jelena McWilliams, the bankrupt company’s trustee and former chairwoman of the Federal Deposit Insurance Corp., wrote to leaders of the Federal Reserve, the Federal Deposit Insurance Corp., the Office of the Comptroller of the Currency and the Securities and Exchange Commission, urging them to use their agencies’ consumer protection divisions to help more than 100,000 customers who were locked out of accounts at banks affiliated with Synapse, including Evolve.
“The impact of Synapse’s bankruptcy has been devastating to end users,” McWilliams wrote to regulators, “Many of whom are unable to pay for basic living expenses and food. We thank you for your swift response to this request and respectfully urge the relevant agencies to act as soon as possible.”
The funds have been frozen for about seven weeks, but McWilliams reported this month that clients are owed about $85 million more than what’s in their partner bank accounts. McWilliams expanded that figure last week to between $65 million and $96 million.
still, Evolve and Synapse have disagreed over which company should hold the money.
Synapse said in court documents that Evolve held nearly all of the deposits of customers of its banking app Yotta.
“According to Synapse’s pro forma report provided on May 17, Evolve has $112 million in client funds stored,” Yotta CEO Adam Morris told CNBC.
Evolve suggests that’s not the case.
“Contrary to Synapse’s allegations, a thorough forensic audit will reveal that these funds are not, and have never been, owned by Evolve,” an Evolve spokesperson told CNBC. “Evolve will continue to work with the trustee and other banks to reconcile the funds actually held by Evolve and determine the most appropriate path forward.”
According to Synapse’s accounting books, almost According to CNBC, Evolve said in McWilliams’ report that all deposits held for Yotta’s clients had vanished several weeks ago. Evolve said its network of eight banks held $109 million in deposits for Yotta’s clients as of April 11. But a month later, the ledger showed only $1.4 million, the bank said, adding that neither the bank nor its clients had received any money during that period.
“A detailed investigation should be conducted into what happened to these funds or why the ledger provided by Synapse reflected fund movements that did not actually occur,” Evolve wrote.
“I think this is a moment that highlights the urgent need for a banking-as-a-service solution,” Adam Rust, director of financial services at the National Consumer Federation, told American Banker. “An event like this may not have been expected, but it’s here now, and the question is how do we protect depositors?”
According to a CNBC report, Evolve suggested it was hesitant to authorize payments to many customers until it had completed a full reconciliation of the mismatched ledgers.
“People take for granted that when they put their money with a financial institution like a bank or a financial-like company, their money is safe,” Chris O’Dinette, a professor at Texas A&M University School of Law, told American Banker. “The reality, of course, is that there are completely different sets of rules and protections in place for banks and anyone else.”