Evolve Bank says May data breach compromised the data of over 7.6m customers

U.S. bank Evolve Bank & Trust said that a data security incident it suffered earlier this year compromised the sensitive personal information of more than 7.6 million individuals.

 

In a data security incident notice filed with the Office of Maine Attorney General, the bank said that on May 29, some of its internal systems stopped working properly. An immediate investigation was launched, with assistance from external cyber security experts, that determined the bank suffered a significant cyber attack.

 

Evolve notified relevant law enforcement authorities about the incident and is working with them to resolve the issue at the earliest.

 

“There is no evidence that the threat actors accessed any customer funds, but it appears the threat actors did access and download customer information from Evolve’s databases and a file share during periods in February and May 2024,” reads the notice.

 

Earlier, Evolve said that the sensitive personal information of its customers, including their names, Social Security Numbers, dates of birth, account information and other personal information were compromised during the incident.

 

In a more recent filing with the Maine state regulator, Evolve said that as many as 7,640,112 individuals were impacted by the incident. The bank, however, confirmed that retail banking customers’ debit cards, online, and digital banking credentials were not accessed.

 

“Prior to the incident, Evolve had a significant number of cybersecurity measures in place. Since becoming aware of the incident, Evolve has taken steps to further strengthen its security response protocols, policies and procedures, and its ability to detect and respond to suspected incidents,” the bank added.

 

Evolve has offered two years of complimentary identity protection and credit monitoring services through Cyberscout to all affected individuals.

 

On June 23, the LockBit ransomware group claimed to have stolen 33 terabytes of data from the US Federal Reserve and three days later, the group published the stolen data on the dark web. An analysis of the data showed that the stolen information belonged to Evolve Bank & Trust and not the United States’ central bank.