Startups scramble to assess fallout from Evolve Bank data breach

On Wednesday, Evolve Bank and Trust, a financial institution that’s popular with fintech startups, announced that it had been victim of a cyberattack and data breach that could have affected its partner companies as well.

The incident, according to the company's statement, involved “the data and personal information of some Evolve retail bank customers and financial technology partners’ customers.”

When reached by TechCrunch, Evolve's communications chief Thomas Holmes said that the incident involves “a known cybercriminal organization.”

“It appears these bad actors have released illegally obtained data, on the dark web,” said Holmes, declining to comment further.

The cybercriminals responsible for the breach appear to be the notorious ransomware gang LockBit, which posted data allegedly stolen from Evolve on its dark web leak site.

Evolve lists a series of companies on its site as partners that rely on the banking giant to offer some of their financial and lending services. To understand the impact of the Evolve breach on these companies, TechCrunch reached out to Affirm, Airwallex, Alloy, Bond, Branch, Dave, EarnIn, Marqeta, Mastercard, Melio, Mercury, PrizePool, Step, Stripe, TabaPay and Visa.

Only Affirm, EarnIn, Marqeta and Melio responded to the request for comment.

Affirm spokesperson Matt Gross told TechCrunch that the company is investigating the incident and “will communicate directly with any impacted consumers as we learn more.”

Affirm also alerted its customers in a post on X, writing that the Evolve breach “may have compromised some data and personal information” of Affirm customers. The company also said that it’s safe to use its card and Money Accounts, and that its investigation into the impact of the breach is still ongoing.

EarnIn spokesperson Stephanie Borman said that the company is “aware of this incident and monitoring it closely.”

Marqeta spokesperson Kelly Kraft told TechCrunch that the company is aware of the breach, and that "Evolve supports a small part of our overall business."

"Our customers affected by this incident have been notified, and we are working closely with Evolve to understand their remediation effort and how our mutual customers may be impacted," Kraft said in an email.

Melio co-founder and CEO Matan Bar told TechCrunch that the company is aware of the breach and "diligently working with them to determine if Melio or any of our customers were impacted by it. We will keep our customers informed with any relevant information as we learn more. There have been no disruptions to Melio's operations as a result of this incident."

Another Evolve partner, the fintech startup Mercury, said on X that the Evolve breach impacted records associated with the company, “including some account numbers, deposit balances, business owner names, and emails.”

As more affected companies come forward, the true impact of the Evolve breach on “some Evolve retail bank customers and financial technology partners’ customers” — as the company put it — will likely become clearer.

Evolve has made headlines recently for other matters related to its fintech partnerships. On June 14, the Federal Reserve ordered Evolve Bank “to bolster its risk management programs around fintech partnerships as well as anti-money laundering laws.”

According to a statement by the Fed, examinations conducted in 2023 found that Evolve “engaged in unsafe and unsound banking practices by failing to have in place an effective risk management framework for those partnerships” with financial technology companies.

The bank has also been associated with the meltdown of banking-as-a-service startup Synapse, which provided a service that allowed others — mainly fintechs — to embed banking services into their offerings. When Synapse filed for bankruptcy this year and an attempted rescue acquisition of its assets by TabaPay fell through, the company pointed blame at its partner bank, Evolve — a saga that continues to play out.

This story was updated to include Marqeta and Melio's comments.