Fintech company Affirm says Evolve Bank attack exposed customer info

Financial technology company Affirm told regulators this week that a cyberattack on a banking partner exposed customer information. 

Affirm — which runs one of the biggest buy now, pay later platforms — told the Securities and Exchange Commission on Monday that information about its own customers leaked during a cyberattack on Evolve Bank. Last week, the bank confirmed that it suffered a cyberattack exposing the personal information of an undisclosed amount of customers. 

Affirm partnered with Evolve Bank to issue its Affirm Card, which operates like a debit card but allows users to convert transactions into installment payments. 

The company’s SEC filing said it shares the personal information of Affirm Card users with Evolve to facilitate the issuance and servicing of cards. 

Affirm said it “believes that the Personal Information of Affirm Card users was compromised as part of Evolve’s cybersecurity incident.” 

“However, the Company’s information systems were not compromised, nor was the ability for Affirm Card holders to continue using their Affirm Card. This incident has not impacted any other part of the Company’s business or operations,” the company told regulators. 

An investigation into the breach is ongoing but Affirm has been told by Evolve Bank that the incident has been contained. 

“However, the full scope, nature and impact of the incident on the Company and Affirm Card users, including the extent to which there has been unauthorized access to Affirm Card user Personal Information, are not yet known,” the company added, noting that law enforcement and all Affirm customers have been contacted.

The company said customers are still able to use Affirm Cards and in response to the incident have “heightened its fraud monitoring.” Affirm does not expect the incident to have a “material” impact on its financial outlook.

TechCrunch reported last week that Affirm was one of several Evolve customers, including money transfer company Wise, to confirm they were affected by the attack on the bank. 

Affirm also shared a breach notification letter it sent to customers on X and created an FAQ page for customers. 

On Monday, Evolve Bank confirmed that it had been attacked by the LockBit ransomware gang in late May. The gang falsely claimed it breached the U.S. Federal Reserve but eventually posted data that came from Evolve Bank. 

Evolve Bank  said it discovered that some of its systems were not working in May and eventually stopped the attack after several days. 

 The bank said LockBit gained  access to their systems when an employee “inadvertently clicked on a malicious internet link.”

“There is no evidence that the criminals accessed any customer funds, but it appears they did access and download customer information from our databases and a file share during periods in February and May,” the bank said on Monday. 

“The threat actor also encrypted some data within our environment. However, we have backups available and experienced limited data loss and impact on our operations. We refused to pay the ransom demanded by the threat actor. As a result, they leaked the data they downloaded. They also mistakenly attributed the source of the data to the Federal Reserve Bank.”

The hackers stole names, Social Security numbers, bank account numbers, and contact information of customers as well as employees. 

They plan to begin sending out breach notification letters on July 8 offering two years of free credit monitoring and identity theft protection.