Affirm Holdings, a leading U.S. financial technology firm, recently revealed that the personal information of Affirm card users may have been compromised due to a cybersecurity incident at Evolve Bank and Trust. The Arkansas-based bank, which issues Affirm cards, fell victim to a significant ransomware attack orchestrated by the LockBit criminal organization. This breach, which occurred last week, resulted in the illegal release of customer data on the dark web.
Evolve Bank disclosed that the attack involved unauthorized access to their systems, where sensitive customer information was downloaded and later leaked. The breach transpired in two phases, in February and May, initiated when an employee inadvertently clicked on a malicious link. The bank clarified that, although customer funds were not accessed, personal information including names, Social Security numbers, bank account numbers, and contact information was compromised. Additionally, Evolve Bank admitted that the attackers encrypted some of their data, although backups were available, limiting data loss and operational impact.
Affirm has reassured its customers that its systems remain secure and that Affirm cardholders can continue using their cards without interruption. However, the company acknowledged the breach’s impact, noting that shared personal information used for card issuance and servicing was involved. Affirm’s spokesperson stated, “Affirm is aware of a cybersecurity incident involving Evolve, a third-party vendor that serves as an issuing partner on the Affirm Card. We are actively investigating the issue and will communicate directly with any impacted consumers as we learn more.”
In response to the breach, Evolve Bank has implemented several security measures, including global password resets, strengthening of firewall and security appliances, and deployment of endpoint detection and response tools. The bank is offering two years of free credit monitoring and identity theft protection to affected individuals, with notifications beginning on July 8, 2024. Evolve Bank urges all affected customers to monitor their account activity and credit reports vigilantly and to set up fraud alerts with nationwide credit bureaus.
