Cybersecurity Incident


Posted: July 9, 2024

Evolve began individual notifications on July 8, 2024. These notifications include an offer of two years of comprehensive credit monitoring and identity protection services for U.S. residents, while international residents will be offered dark web monitoring services where available. Additionally, the notices provide detailed information on these services, along with instructions for registration and contact details for our dedicated call center, established to assist with enrollment and address any inquiries related to the incident.

Our initial round of notifications is expected to be completed over the coming weeks. As previously mentioned, our investigation is ongoing, and we anticipate subsequent, smaller rounds of notifications.

We appreciate your ongoing patience throughout this process and regret any inconvenience caused by this incident.

Posted: July 1, 2024

The Evolve Team continues to work around the clock to respond to the recent cybersecurity incident. We are committed to transparency and have provided a detailed update below about what happened, how we are responding, and actions you can take. We will continue to provide regular updates on this page.  

Thank you for your continued patience. We regret any inconvenience this incident may cause and are grateful for your understanding. 

Because the investigation continues and information is being regularly updated and to avoid confusion, we have removed and archived previous updates. 

What Happened

In late May 2024, Evolve Bank & Trust identified that some of its systems were not working properly. While it initially appeared to be a hardware failure, we subsequently learned it was unauthorized activity. We engaged cybersecurity specialists to investigate and determined that unauthorized activity may have been the cause. We promptly initiated our incident response processes and stopped the attack. The Bank has seen no new unauthorized activity since May 31, 2024. We engaged outside specialists to investigate what happened and what data was affected, as well as a firm to help us restore our services. We reported this incident to law enforcement. 

While the investigation is ongoing, we want to share some important information about what we know so far. At this time, current evidence shows the following: 

  • This was a ransomware attack by the criminal organization, LockBit. 
  • They appear to have gained access to our systems when an employee inadvertently clicked on a malicious internet link. 
  • There is no evidence that the criminals accessed any customer funds, but it appears they did access and download customer information from our databases and a file share during periods in February and May. 
  • The threat actor also encrypted some data within our environment. However, we have backups available and experienced limited data loss and impact on our operations. 
  • We refused to pay the ransom demanded by the threat actor. As a result, they leaked the data they downloaded. They also mistakenly attributed the source of the data to the Federal Reserve Bank. 

What We Have Done

Since becoming aware of the incident, we have taken steps to enhance existing controls and further secure our environment, including: 

  • Resetting passwords globally. 
  • Reconstructing critical Identity Access Management components, including Active Directory.  
  • Further hardening of firewall and dynamic security appliances. 
  • Deploying endpoint detection and response and other security tools to harden the network. 

We are in the process of further strengthening our security response protocols, policies and procedures, and our ability to detect and respond to suspected incidents.  

What Information is Affected

At this time, we have evidence that files were downloaded from our systems. The investigation is in its early stages, but it appears that names, Social Security numbers, bank account numbers, and contact information were affected for most of our personal banking customers, as well as customers of our Open Banking partners. We have now learned that personal information relating to our employees was also likely impacted.

We are still investigating what other personal information was affected, including information regarding our Business, Trust, and Mortgage customers.

What We Will Be Doing

We are committed to supporting our customers and partners through this process. To that end, we will be directly notifying each individual whose personal information was affected and offering them two years of free credit monitoring and identity theft protection. We anticipate that we will begin sending these individual notifications via email on July 8, 2024. These notices will also include details regarding our dedicated call center, established to provide assistance enrolling in credit monitoring and answer questions about the incident.

More details will be shared on this page in the coming days.

What You Can Do

We encourage all personal banking customers and financial technology partners’ customers (end users) to remain vigilant by monitoring account activity and credit reports.  

You can set up free fraud alerts with nationwide credit bureaus—Equifax, Experian, and TransUnion. You can also request and review your free credit report at Freecreditreport.com. If you suspect any fraud or suspicious activity, please contact us immediately. 

If you suspect that you are the victim of identity theft or fraud, you have the right to file a report with the Federal Trade Commission (FTC) or law enforcement authorities.  

You can contact the FTC at:  

Federal Trade Commission  

600 Pennsylvania Avenue, NW  

Washington, DC 20580  

(877) ID-THEFT (438-4338)  

https://www.identitytheft.gov

We appreciate your patience and understanding as we navigate this challenging situation. Your trust is of utmost importance to us, and we are committed to transparency. 

If you have further questions, please review our Frequently Asked Questions page or contact [email protected] or 833.947.1379.