Financial technology company Affirm told regulators this week that a cyberattack on a banking partner exposed customer information.
Affirm – which runs one of today’s largest buy, pay later platforms – said The Securities and Exchange Commission said Monday that information about its own customers was leaked in a cyberattack on Evolve Bank. Last week, the bank confirmed to have suffered a cyber attack exposing the personal information of an undisclosed number of customers.
Affirm has partnered with Evolve Bank to issue its Affirm Card, which functions like a debit card but allows users to convert transactions into installment payments.
The company’s SEC filing indicates that it shares Affirm Card users’ personal information with Evolve to facilitate issuance and servicing of the cards.
Affirm said it “believes that Affirm Card users’ personal information was compromised as part of the Evolve cybersecurity incident.”
“However, the company’s information systems were not compromised, nor was the ability of Affirm cardholders to continue using their Affirm card. This incident did not impact any other part of the company’s business or operations,” the company told regulators.
An investigation into the breach is ongoing, but Affirm has been informed by Evolve Bank that the incident has been contained.
“However, the scale, nature and impact of the incident on the company and Affirm Card users, including the extent to which there was unauthorized access to card users’ personal information Affirm, are not yet known,” the company added, noting that law enforcement and all Affirm customers have been contacted.
The company said customers can still use Affirm cards and that in response to the incident it has “strengthened its fraud monitoring.” Affirm does not expect the incident to have a “material” impact on its financial outlook.
TechCrunch reported Last week, Affirm was one of several Evolve customers, including Wise money transfer companyto confirm that they were affected by the bank attack.
Also affirm common a violation notification letter sent to customers on created a FAQ page for customers.
Evolve confirms LockBit attack
Monday, Evolve Bank confirmed that he had been attacked by the LockBit ransomware gang end of May. The gang falsely claimed to have breached the US Federal Reserve, but ultimately released data from Evolve Bank.
Evolve Bank said it discovered that some of its systems were not working in May and eventually stopped the attack after several days.
The bank said LockBit gained access to its systems when an employee “inadvertently clicked on a malicious internet link.”
“There is no evidence that the criminals accessed customer funds, but it appears that they accessed and downloaded customer information from our databases and a file share over the course of periods of February and May,” the bank said on Monday.
“The malicious actor also encrypted some data within our environment. However, we have backups available and have experienced limited data loss and impact to our operations. We refused to pay the ransom demanded by the threat actor. As a result, they leaked the data they had downloaded. They also mistakenly attributed the data source to the Federal Reserve Bank.”
The hackers stole the names, social security numbers, bank account numbers and contact information of customers as well as employees.
They plan to start sending breach notification letters on July 8, offering two years of free credit monitoring and identity theft protection.
Future saved
Intelligence cloud.