Evolve Bank & Trust customer data has been breached, the company confirmed Wednesday in a statement on its website.
“A known cybercriminal organization … appears to have illegally obtained and released on the dark web the data and personal information of some Evolve customers,” the bank said.
Debit cards, online and digital banking credentials of the firm’s retail-banking customers have not been affected, Evolve said in an update. But the bank is notifying customers of its fintech partners, it said.
Evolve did not name the hacking organization, but Bloomberg reported Wednesday that LockBit 3.0 posted data taken from Evolve’s systems on the dark web a day earlier.
Affected information “may have included full name, account number, email address, mailing address, phone number, Social Security number [and] date of birth,” Evolve wrote in its statement.
The bank is offering affected customers complimentary credit monitoring services with identity theft monitoring, it said. It did not detail how many customers are affected.
Evolve is communicating with law enforcement to help with an investigation of the matter, the bank said.
“Based on what our investigation has found and what we know at this time, we are confident this incident has been contained and there is no ongoing threat,” Evolve said.
The bank advised customers to “remain vigilant monitoring any suspicious account activity over the next 12 to 24 months.”
The incident comes less than two weeks after Evolve received an enforcement action from the Federal Reserve over shortcomings in the bank’s anti-money laundering, risk management and consumer compliance programs.
An August 2023 exam by the regulator found the bank lacked “an effective risk management framework” for its fintech partnerships. Evolve is one of several partner banks caught up in bankruptcy proceedings for fintech middleware firm Synapse. But the Fed emphasized this month that its order is independent of the Synapse matter.
Reaching out to regulators
In the Synapse case, the bankrupt company’s trustee, former Federal Deposit Insurance Corp. Chair Jelena McWilliams, wrote the leaders of the Fed, FDIC, Office of the Comptroller of the Currency and Securities and Exchange Commission, asking them to avail their agencies’ consumer protection units to the more than 100,000 customers who have been locked out of accounts with banks that partner with Synapse. Evolve is one of those banks.
“The impact of Synapse’s bankruptcy on end-users has been devastating,” McWilliams wrote to the regulators. “Many end-users are unable to pay for basic living expenses and food. I appreciate your prompt attention to this request and respectfully request that your agencies act on it as quickly as possible.”
Funds have been frozen for roughly seven weeks, yet McWilliams this month reported that customers are owed roughly $85 million more than what’s being held for them in partner banks’ accounts. McWilliams broadened that figure last week to between $65 million and $96 million.
Still, Evolve and Synapse disagree over which company holds the funds.
Synapse has said in court filings that Evolve held nearly all of the deposits of customers of the banking app Yotta.
“According to the Synapse trial balance report provided on May 17, there are $112 million of customer funds held at Evolve,” Yotta CEO Adam Moelis told CNBC.
Evolve has indicated otherwise.
“We believe that a meticulous forensic accounting investigation will reveal that these purported funds are not, and were not, in Evolve’s possession, contrary to Synapse’s claims,” a spokesman for Evolve told CNBC. “Evolve will continue cooperating with the Trustee and other banks to perform reconciliation and determine the most appropriate path forward for any funds actually held at Evolve.”
Synapse’s ledgers show that nearly all of the deposits held for Yotta customers went missing weeks ago, Evolve said in McWilliams’s report, according to CNBC. A network of eight banks held $109 million in deposits for Yotta customers as of April 11, Evolve said. But a month later, the ledger showed $1.4 million, the bank said, adding that neither it nor its customers received money during that span.
“A detailed investigation of what happened to these funds, or alternatively, why the Synapse-provided ledger reflected money movement that did not actually occur, must be undertaken,” Evolve wrote.
"I think this is a moment that underscores the urgency of resolving banking-as-a-service," Adam Rust, director of financial services at the Consumer Federation of America, told American Banker. "An event like this may not have been expected, but now here we are, and the question is how do we protect depositors?"
Evolve indicated it is hesitant to allow payments to be made to many customers until a full reconciliation of the mismatched ledgers is complete, CNBC reported.
"People take for granted that when they deposit their money with some kind of financial institution or financial-like company that has the valence of the bank, that their money is safe," Chris Odinet, a professor at Texas A&M University School of Law, told American Banker. "Of course the reality is there's a very different set of rules and protections with what you're doing with a bank and what you're doing with anyone else."
