Evolve Bank & Trust says the data of more than 7.6 million customers was stolen during the LockBit break-in in late May, per a fresh filing with Maine's attorney general.

The filing lists the total number of persons affected (including residents) at 7,640,112.

It's the first time Evolve has confirmed the scale of the data theft - which affected at least three of its major partners, past and present - and it expects the number to rise as its investigations continue.

Both Wise and Affirm, international money transfer and buy-now-pay-later companies respectively, confirmed in SEC filings last week that they were both materially affected by the break-in at Evolve. 

Wise severed ties with Evolve last year but was still impacted by the incident. Mercury also suggested it could be affected.

However, none of the company's partners have yet revealed the extent to which the ransomware crew that cops allege is headed by Dmitry Khoroshev managed to pillage their customers' data.

The Register approached all 15 partners listed on Evolve's website and only received a response from one other company, Melia, and the last we heard it was probing any potential impact rather than confirming anything.

As for Evolve, its letter to customers reads: "On May 29, 2024, Evolve identified that some of its systems were not working properly.

"While it initially appeared to be a hardware failure, we subsequently learned it was unauthorized activity.

"Evolve promptly initiated its incident response processes and stopped the attack. No new unauthorized activity on Evolve's systems has been identified since May 31, 2024. An investigation with assistance from a cybersecurity firm was initiated to investigate what happened and what data may have been impacted. Evolve also notified law enforcement and worked to add further protections to harden its systems."

The Banking-as-a-Service provider went on to say that although it may have enacted its incident response playbook when it spotted signs of foul play, it took the vendor roughly four months to detect the intrusion.

"There is no evidence that the threat actors accessed any customer funds, but it appears the threat actors did access and download customer information from Evolve's databases and a file share during periods in February and May 2024."

The letters sent to affected individuals are usually attached to filings with state attorneys general, but typically omit details such as the specific data types stolen in each case.

Some customers may have had names and addresses stolen, while others may have had their social security numbers taken as well, for example.

We know from Evolve's earlier disclosure that SSNs, bank account numbers, and contact information "for most" of its personal banking customers and partners may be affected, as well as some staff.

That disclosure, last updated on July 8, also stated that this week's notification letters are expected to be a first round with additional, smaller rounds of notifications to come in the following weeks.

Evolve has offered impacted individuals 24 months of credit monitoring, as is often the case in major data leaks. Victims have until October 31 to enroll for these services, and the full instructions on how to do so are included in an email to be sent in the next two weeks.

Rounding off the letter, Evolve went on to say that it "had a significant number of cybersecurity measures in place," which have now been strengthened even further.

The incident, however, came against the backdrop of a stern telling off from the US Federal Reserve Board on June 14, less than a fortnight before it announced the data had been stolen.

Following a review of Evolve in 2023, the board wasn't happy at all with the Arkansas-headquartered company for a number of reasons including "deficiencies" in anti-money laundering, risk management, and consumer compliance programs. 

It was assessed to have engaged in "unsafe and unsound banking practices," particularly in relation to the absence of an effective risk management framework for its array of partners, among other issues, which resulted in an enforcement action being issued.

This, of course, came just a few weeks after Evolve became aware that LockBit was rummaging through its systems for the best part of four months - a hardly ideal 2024 for the finance firm.

Misery loves company

At least Evolve is not alone in the pits of the "data breach" filings this week. Financial Business and Consumer Solutions (FBCS) also updated Maine's attorney general on the state of its investigation regarding its own data exposure for the second time in as many weeks.

At the end of June, we reported how the debt collector's situation was going from bad to worse, and now it's worse still with the update indicating the number of affected individuals has now surpassed 4 million.

The February attack on FBCS was originally slated to have affected around 2 million people, according to its first filing in April. By the end of June, that number had risen to just north of 3.4 million, and now it stands at 4,050,711, to be precise.

The data stolen includes names, SSNs, dates of birth, account information, and identity documents, but no recognized cybercrime operation has taken credit for what the FBCS called a "cyber incident." ®

https://www.theregister.com//2024/07/09/evolve_lockbit_attack/