17 October, 2024
Fintech company Wise says some customers affected by Evolve Bank data breach
The money transfer and fintech company Wise announced on Friday that some of its customers’ personal data may have been stolen in the recent data breach at Evolve Bank and Trust.
The news highlights that the fallout from the Evolve data breach on third-party companies — and their customers and users — is still unclear, and it’s likely that it includes companies and startups that are yet unknown.
In a statement published on its official website, Wise wrote that the company worked with Evolve from 2020 until 2023 “to provide USD account details.” And given that Evolve was breached recently, “some Wise customers’ personal information may have been involved.”
“We’ll be emailing all Wise customers who we think may have been affected by this data breach directly,” the company wrote.
Wise said that it shared U.S. customers’ personal data with Evolve, information that included names, addresses, date of birth, contact details and Social Security numbers or Employer Identification Number. For non-U.S. customers, Wise also shared “another identity document number.”
At this point, it’s unclear how many Wise customers have been affected, as the company wrote that it is still “actively investigating.”
Contact Us
Do you have more information about the Evolve breach, and how it’s affecting other companies? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
A Wise spokesperson told TechCrunch that the company is still investigating, and that it is “contacting customers who may have been affected by this breach directly.”
“Wise’s systems were not compromised and our customers are able to access their accounts safely,” the spokesperson said in an email.
When reached by TechCrunch for comment, asking whether Evolve knows how many partner companies — old and current — and end users have been affected by the breach, and whether Evolve has already contacted all of them, Evolve spokesperson Eric Helvie declined to comment and referred to the company’s official statement on its website.
As of this writing, the statement says Evolve “continues to work around the clock to respond to the recent cybersecurity incident” and promises to provide further updates. The company said the breach was a ransomware attack by the LockBit cybercrime gang, due to an employee clicking on a malicious link in May of this year.
“There is no evidence that the criminals accessed any customer funds, but it appears they did access and download customer information from our databases and a file share during periods in February and May,” the statement read. “The threat actor also encrypted some data within our environment. However, we have backups available and experienced limited data loss and impact on our operations.”
The company also promises to directly notify “each individual whose personal information was affected.”
So far, Affirm, EarnIn, Marqeta, Melio and Mercury — all Evolve partners — have acknowledged that they are investigating how the Evolve breach impacted their customers. On Monday, fintech reporter Jason Mikula shared on X a notification that Branch, another Evolve partner, had sent to a customer. Branch has yet to respond to repeated requests for comment from TechCrunch.
This story was updated to include Wise’s spokesperson statement.
Exclusive: Yieldstreet says some of its customers were affected by the Evolve Bank data breach
The alternative investment platform Yieldstreet is the latest company to reveal that its customers were affected by the recent data breach at Evolve Bank and Trust, TechCrunch has exclusively learned.
On Tuesday, Yieldstreet spokesperson Clare Burrows confirmed to TechCrunch that “some Yieldstreet customer information may have been impacted” as a consequence of the Evolve breach.
“We have communicated this to all potentially affected customers and continue to follow best practices regarding third-party cybersecurity incidents,” Burrows said in an email.
Burrows declined to say exactly what kind of customer information was stolen, nor how many customers were affected.
Last week, Evolve, which is a popular financial institution for fintech startups, announced that a cyberattack affected “the data and personal information of some Evolve retail bank customers and financial technology partners’ customers.”
As of this writing, the following companies have confirmed to TechCrunch that their customers were affected by the Evolve breach: Affirm, Branch, EarnIn, Marqeta, Melio, Mercury, Yieldstreet and Wise.
Contact Us
Do you have more information about the Evolve breach and how it’s impacting partner companies? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
On Monday, Jason Mikula, a fintech reporter, wrote on X that Branch, an Evolve partner, notified customers that it was affected by the Evolve incident.
A Branch spokesperson told TechCrunch on Tuesday that the company “continues to work with Evolve to understand the scope and the impact this incident may have on Branch account holders.”
“Out of an abundance of caution, we issued an email notification to account holders about the incident and urged them to exercise vigilance in monitoring account activity and protecting their account credentials. We also reassured them that the safety and security of the Branch platform and mobile application had not been compromised,” the spokesperson wrote in an email.
Mikula also reported that Juno, a crypto service company, and Yotta, a fintech company, were affected by the Evolve breach. In his newsletter Fintech Business Weekly, Mikula reported having reviewed stolen data from Evolve, which was posted online by the cybercrime gang LockBit. LockBit has claimed responsibility for the hack. According to the data, Mikula wrote, the following companies may have also been affected: Bitfinex, BrightSide, Copper Banking, Dave, Fund That Flip, Juno, Nomad, Rho and SoLo Funds.
None of the above companies responded to TechCrunch’s request for comment, except for SoLo, Nomad, and Bitfinex. A SoLo spokesperson declined to comment. A Nomad spokesperson confirmed that it was affected by the Evolve breach, but also said that “it’s important to highlight that all Nomad accounts are secure and can continue to be used normally,” and that the company terminated its partnership with Evolve last year. A Bitfinex spokesperson said that the company’s “systems and data were not compromised in this incident.”
It’s likely that we still don’t know of several other companies. When reached by TechCrunch, Evolve spokesperson Eric Helvie declined to say how many of the bank’s partner companies or clients were affected by the breach. Instead, Helvie referred us to Evolve’s blog post regarding the incident.
This story has been updated to include comment from Nomad.
UPDATE, July 3 10:20 a.m. ET: This story has been updated to clarify that one of the companies that has been reported to have been affected by the Evolve breach is Copper Banking, and not Copper. The two are different companies, and a Copper spokesperson said that “no Copper data is processed by Evolve Bank, and as a result, no Copper data could potentially be impacted by a breach of Evolve Bank’s systems.” We regret the error.
UPDATE, July 3, 10:27 a.m. ET: This story was updated to include comment from Bitfinex.
Microsoft emails that warned customers of Russian hacks criticized for looking like spam and phishing
In March, Microsoft confirmed that Russian government hackers known as Midnight Blizzard (or APT29) had broken into its systems with the goal of stealing various kinds of information, including data on Microsoft customers.
Months later, Microsoft is still in the process of notifying its affected customers, and it looks like the process isn’t going very well, with experts criticizing Microsoft for sending emails that look like spam, or even phishing attempts.
Kevin Beaumont, a former Microsoft employee and now a cybersecurity researcher who closely follows the company, has been warning companies to keep an eye out for these Microsoft emails.
“Microsoft had a breach by Russia impacting customer data and didn’t follow the Microsoft 365 customer data breach process. The notifications aren’t in the portal, they emailed tenant admins instead.” Beaumont wrote on his LinkedIn account. “The emails can go into spam — and tenant admin accounts are supposed to be secure breakglass accounts without email. They also haven’t informed orgs via account managers. You want to check all emails going back to June. It is widespread.”
One of the main issues with Microsoft’s notification email is that it includes a “secure link” to a domain that bears no apparent connection to Microsoft. Instead, the email includes a link to: “purviewcustomer.powerappsportals.com.”
“Basically, the critical alert looks like a phishing attack,” one person wrote on X.
That link has been submitted to urlscan.io, a site that can help spot malicious links, more than a hundred times. That suggests that there are a lot of organizations that saw that official legitimate Microsoft email and thought it was malicious.
Contact Us
Do you have more information about this Microsoft incident? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
The urlscan.io submissions also suggest there are at least a hundred companies that were affected by the Russian government hack on Microsoft. U.S. cybersecurity agency CISA previously said that the Russian hackers also stole emails of several federal agencies.
Apart from Beaumont’s warnings, there is some evidence that Microsoft customers are legitimately confused. In a Microsoft support portal, one customer shared the email their organization received in an attempt to get clarity on whether it was a genuine Microsoft email.
“This email has several red flags for me, the request for the TenantID and essentially admin or high level email addresses, the powerapps page being barebones, and some quick Googling not finding anything related to the title of this email or it’s [sic] contents,” the person wrote. “Can anyone confirm this is a legit Microsoft email request?”
Commenting on Beaumont’s LinkedIn post, a cybersecurity consultant said that “several” of his clients received the email and “All of them were worried it was phishing.”
“At first glance, this did not inspire trust for the recipients, who started asking in forums or reaching out to Microsoft account managers to eventually confirm that the email was legitimate…weird way for a provider like this to communicate an important issue to potentially affected customers,” the consultant wrote.
Microsoft spokespeople did not respond when TechCrunch asked how many organizations have been notified, or if the company plans to change the way it notifies affected customers.
Durex India spilled customers' private order data
Durex India, the Indian subsidiary of the British condom and personal lubricants brand, has exposed its customers’ personal information, including their full names and order details.
Security researcher Sourajeet Majumder contacted TechCrunch this week about the issue of exposing sensitive customer data on the condom maker’s website.
The brand’s website spilled customer names, phone numbers, email addresses, shipping addresses, the products ordered and the amount paid. The exact number of affected customers is not known. However, the researcher found evidence that hundreds of people had information exposed because of a lack of proper authentication on its order confirmation page.
“For a brand dealing with intimate products, ensuring privacy is crucial,” Majumder told TechCrunch.
TechCrunch verified Majumder’s findings, and found that customer order details were still accessible online at the time of writing. As such, TechCrunch is withholding certain details about the exposure as to not aid malicious actors.
When reached by TechCrunch prior to publication about the exposed customer information, Ravi Bhatnagar, a spokesperson for Durex parent company Reckitt, declined to comment or say if the company plans to secure its customers’ information.
The researcher told TechCrunch that the data could be exploited for identity theft, and contact details may result in unwanted harassment. Majumder said that he also contacted India’s Computer Emergency Response Team (CERT-In) about the security lapse, which acknowledged his email.
“Affected customers can also become victims of social harassment or moral policing because of this leak,” the researcher said.
Texas sues GM, saying it tricked customers into sharing driving data sold to insurers
Texas filed a lawsuit Tuesday against GM over years of alleged abuse of customers’ data and trust. New car owners were presented with a “confusing and highly misleading” process that was implied to be for their safety, but “was no more than a deceptively designed sales flow” that surrendered their data for GM to sell. The suit contends that at no point was selling driving data ever even suggested as a possibility, putting GM in violation of the state’s consumer protection laws.
Texas Attorney General Ken Paxton is seeking a jury trial and at least $10,000 per offense (every GM car sold in the state since 2015) and a hefty add-on of $250,000 in cases where the victim was over 65.
Texas seems to be flying high after a recent $1.4 billion settlement from Meta over other privacy concerns. This may well be a way to solve any pending budgetary issues in the Lone Star State.
FlightAware warns that some customers' info has been 'exposed,' including Social Security numbers
Flight tracking site FlightAware has blamed a “configuration error” for exposing a raft of personal information of its customers, including some of their Social Security numbers.
The company, which claims to be one of the largest aggregators of flight data, said in a notice on its website that it identified the unspecified error on July 25, which exposed names, email addresses, and more, depending on what information users provided to the company.
FlightAware said the exposed data includes “billing address, shipping address, IP address, social media accounts, telephone numbers, year of birth, last four digits of your credit card number, information about aircraft owned, industry, title, pilot status (yes/no), and your account activity (such as flights viewed and comments posted).”
In a separate notice with California’s attorney general’s office, FlightAware said that its investigation found passwords and Social Security numbers were also exposed.
As a result, the company said it’s requiring all affected users to reset their account passwords. FlightAware does not say in the notice whether customers’ stored passwords are scrambled or to what extent.
The notice filed with the state says the breach dates as far back as January 2021, over three years ago.
The company’s description of a configuration error implies a mistake on the company’s part, rather than a malicious cyberattack.
While FlightAware concedes that customer data was exposed, it’s not known if anyone accessed or exfiltrated the data, or if the company has the technical means, such as logs, to determine if anyone downloaded the customer data.
FlightAware spokesperson Kathleen Bangs did not respond to requests for comment, nor say how many customers are affected.
FlightAware says on its website that it has more than 10 million monthly users.
Care.com to pay customers $8.5M in FTC settlement for deceiving caregivers, families
The U.S. Federal Trade Commission (FTC) is requiring Care.com, a platform for gig workers in the eldercare and child care space, to pay $8.5 million in refunds for deceiving caregivers who were looking for jobs and making it difficult for families to cancel their paid memberships.
The agency said on Monday that the company’s marketing messages misled customers about the number of jobs that were available on its platform and the amount of money the jobs pay.
Separately, the FTC said Care.com made it complicated to cancel memberships, sometimes guiding users to multi-page questionnaires and warnings, and ordered it to provide a “simple cancellation method.”
Care.com released a statement saying it settled with the FTC to keep its focus on helping families and caregivers, despite originally being “fully prepared to litigate for the next several years if necessary.”
Texas sues GM, saying it tricked customers into sharing driving data sold to insurers
Texas filed a lawsuit Tuesday against GM over years of alleged abuse of customers’ data and trust. New car owners were presented with a “confusing and highly misleading” process that was implied to be for their safety, but “was no more than a deceptively designed sales flow” that surrendered their data for GM to sell. The suit contends that at no point was selling driving data ever even suggested as a possibility, putting GM in violation of the state’s consumer protection laws.
Texas Attorney General Ken Paxton is seeking a jury trial and at least $10,000 per offense (every GM car sold in the state since 2015) and a hefty add-on of $250,000 in cases where the victim was over 65.
Texas seems to be flying high after a recent $1.4 billion settlement from Meta over other privacy concerns. This may well be a way to solve any pending budgetary issues in the Lone Star State.
Fintech company Wise says some customers affected by Evolve Bank data breach
The money transfer and fintech company Wise announced on Friday that some of its customers’ personal data may have been stolen in the recent data breach at Evolve Bank and Trust.
The news highlights that the fallout from the Evolve data breach on third-party companies — and their customers and users — is still unclear, and it’s likely that it includes companies and startups that are yet unknown.
In a statement published on its official website, Wise wrote that the company worked with Evolve from 2020 until 2023 “to provide USD account details.” And given that Evolve was breached recently, “some Wise customers’ personal information may have been involved.”
“We’ll be emailing all Wise customers who we think may have been affected by this data breach directly,” the company wrote.
Wise said that it shared U.S. customers’ personal data with Evolve, information that included names, addresses, date of birth, contact details and Social Security numbers or Employer Identification Number. For non-U.S. customers, Wise also shared “another identity document number.”
At this point, it’s unclear how many Wise customers have been affected, as the company wrote that it is still “actively investigating.”
Contact Us
Do you have more information about the Evolve breach, and how it’s affecting other companies? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
A Wise spokesperson told TechCrunch that the company is still investigating, and that it is “contacting customers who may have been affected by this breach directly.”
“Wise’s systems were not compromised and our customers are able to access their accounts safely,” the spokesperson said in an email.
When reached by TechCrunch for comment, asking whether Evolve knows how many partner companies — old and current — and end users have been affected by the breach, and whether Evolve has already contacted all of them, Evolve spokesperson Eric Helvie declined to comment and referred to the company’s official statement on its website.
As of this writing, the statement says Evolve “continues to work around the clock to respond to the recent cybersecurity incident” and promises to provide further updates. The company said the breach was a ransomware attack by the LockBit cybercrime gang, due to an employee clicking on a malicious link in May of this year.
“There is no evidence that the criminals accessed any customer funds, but it appears they did access and download customer information from our databases and a file share during periods in February and May,” the statement read. “The threat actor also encrypted some data within our environment. However, we have backups available and experienced limited data loss and impact on our operations.”
The company also promises to directly notify “each individual whose personal information was affected.”
So far, Affirm, EarnIn, Marqeta, Melio and Mercury — all Evolve partners — have acknowledged that they are investigating how the Evolve breach impacted their customers. On Monday, fintech reporter Jason Mikula shared on X a notification that Branch, another Evolve partner, had sent to a customer. Branch has yet to respond to repeated requests for comment from TechCrunch.
This story was updated to include Wise’s spokesperson statement.