Substitute Notice of Data Breach

As recently announced on the Evolve Bank & Trust (“Evolve” or “we”) website, Evolve was recently subject to a cybersecurity incident. This post provides up-to-date information regarding what happened and what we are doing.

August 27, 2024

What Happened

In late May 2024, Evolve identified that some of its systems were not working properly. While it initially appeared to be a hardware failure, we subsequently learned it was unauthorized activity. We engaged cybersecurity specialists to investigate and determined that unauthorized activity may have been the cause. We promptly initiated our incident response processes and stopped the attack. Evolve has seen no new unauthorized activity since May 31, 2024. We engaged outside specialists to investigate what happened and what data was affected, as well as a firm to help us restore our services. We reported this incident to law enforcement.  

While the investigation is ongoing, current evidence shows the following:  

  • This was a ransomware attack by the criminal organization, LockBit.  
  • They appear to have gained access to our systems when an employee inadvertently clicked on a malicious internet link.  
  • There is no evidence that the criminals accessed any customer funds, but it appears they did access and download customer information from our databases and a file share during periods in February and May.  
  • The threat actor also encrypted some data within our environment. However, we have backups available and experienced limited data loss and impact on our operations.  
  • We refused to pay the ransom demanded by the threat actor. As a result, they leaked the data they downloaded. They also mistakenly attributed the source of the data to the Federal Reserve Bank.  

What Information was Involved

At this time, we have evidence that files were downloaded from our systems. The investigation is in its early stages, but it appears that names, Social Security numbers, Evolve account numbers, date of birth, and contact information were affected for most of our personal, mortgage, trust, and small business banking customers, as well as customers of our Open Banking partners. A small portion of these individuals also had their debit card number affected. The affected files also included ACH transaction records, which include financial account number, routing number, and name for both payors and payees.  

What We Are Doing

Since becoming aware of the incident, we have taken steps to enhance existing controls and further secure our environment, including: 

  • Resetting passwords globally.   
  • Reconstructing critical Identity Access Management components, including Active Directory.    
  • Further hardening of firewall and dynamic security appliances.   
  • Deploying endpoint detection and response and other security tools to harden the network.   

We are in the process of further strengthening our security response protocols, policies and procedures, and our ability to detect and respond to suspected incidents.    

Evolve is notifying individuals whose personal information was affected via email where available. Evolve began sending the first rounds of individual notifications on July 8, 2024. These notifications include an offer of two years of comprehensive credit monitoring and identity protection services for U.S. residents, while international residents will be offered dark web monitoring services where available. Additionally, the notices provide detailed information of these services, along with instructions for registration and contact details for our dedicated call center established to assist with enrollment and address any inquiries related to the incident. Our initial round of notifications is expected to be completed over the coming weeks. Our investigation is ongoing, and we anticipate subsequent, smaller rounds of notifications.  

What You Can Do

We encourage all personal banking customers and financial technology partners’ customers (end users) to remain vigilant by monitoring account activity and credit reports.  Additionally, always be alert for “phishing” emails or phone calls requesting sensitive information, such as passwords, Social Security numbers or financial account information. These requests often come from a sender pretending to be a company you do business with or a person you know. We also recommend that you use multifactor authentication for your online accounts when offered. 

You can set up free fraud alerts with nationwide credit bureaus—Equifax, Experian, and TransUnion. You can also request and review your free credit report at  Freecreditreport.com. If you suspect any fraud or suspicious activity, please contact us immediately.  

We have also established a dedicated call center available toll free in the U.S. at 866.238.9974, Monday through Friday 8am to 8pm ET (excluding major U.S. holidays). Please call this number if you have questions about the incident or the identity monitoring services. 

If you have further questions, please review our  Frequently Asked Questions page. 

For questions about your account, please contact [email protected] or call 833.947.1379

Additional Information For US Residents

Information on Obtaining a Free Credit Report

U.S. residents are entitled under U.S. law to one free credit report annually from each of the three major credit bureaus. To order your free credit reports, visit  www.annualcreditreport.com  or call toll free 877.322.8228.

Information on Implementing a Fraud Alert or Security Freeze

You can contact the three major credit bureaus at the addresses below to place a fraud alert on your credit report. A fraud alert indicates to anyone requesting your credit file that you suspect you are a possible victim of fraud. A fraud alert does not affect your ability to get a loan or credit. Instead, it alerts a business that your personal information might have been compromised and requires that business to verify your identity before issuing you credit. Although this may cause some short delay if you are the one applying for the credit, it might protect against someone else obtaining credit in your name.

A security freeze prohibits a credit reporting agency from releasing any information from a consumer’s credit report without written authorization. However, please be aware that placing a security freeze on your credit report may delay, interfere with, or prevent the timely approval of any requests you make for new loans, credit, mortgages, employment, housing, or other services. A credit reporting agency may not charge you to place, temporarily lift, or permanently remove a security freeze.

To place a fraud alert or security freeze on your credit report, you must contact the three credit bureaus below:

Equifax
Consumer Fraud Division
P.O. Box 740256
Atlanta, GA 30374
888.766.0008
www.equifax.com

Experian
Credit Fraud Center
P.O. Box 9554
Allen, TX 75013
888.397.3742
www.experian.com

TransUnion
TransUnion LLC
P.O. Box 2000
Chester, PA 190222000
800.680.7289
www.transunion.com

To request a security freeze, you will need to provide the following information:

  1. Your full name (including middle initial as well as Jr., Sr., II, III, etc.);
  2. Social Security number;
  3. Date of birth;
  4. If you have moved in the past five (5) years, the addresses where you have lived over those prior five years;
  5. Proof of current address such as a current utility bill or telephone bill; and
  6. A legible photocopy of a government issued identification card (state driver’s license or ID card, military identification, etc.).

You may also contact the U.S. Federal Trade Commission (“FTC”) for further information on fraud alerts, security freezes, and how to protect yourself from identity theft.

The FTC can be contacted at:

400 7th St. SW

Washington, DC 20024

877.382.4357 or www.consumer.gov/idtheft.

Additional Resources

Your state attorney general may also have advice on preventing identity theft, and you should report instances of known or suspected identity theft to law enforcement, your state attorney general, or the FTC. 


Colorado and Illinois residents: You may obtain information from the Federal Trade Commission and the credit reporting agencies about fraud alerts and security freezes. 


Iowa Residents: The Attorney General can be contacted at:

Office of Attorney General of Iowa

Hoover State Office Building

1305 E. Walnut Street

Des Moines, Iowa 50319

515.281.5164 or www.iowaattorneygeneral.gov.


North Carolina Residents: The Attorney General can be contacted at:

9001 Mail Service Center

Raleigh, NC 27699-9001

877.566.7226 (Toll-free w.ithin North Carolina); 919.716.6400 or www.ncdoj.gov.


New Mexico Residents: You have rights under the federal Fair Credit Reporting Act (FCRA), which governs the collection and use of information pertaining to you by consumer reporting agencies. For more information about your rights under the FCRA, please visit: https://www.consumer.ftc.gov/sites/default/files/articles/pdf/pdf-0096-fair-credit-reporting-act.pdf or www.ftc.gov.


New York Residents: The Attorney General can be contacted at:

The Office of the Attorney General

The Capitol

Albany, NY 12224-0341

800.771.7755 or www.ag.ny.gov


For Arizona, California, Iowa, Montana, New York, North Carolina, Washington and West Virginia residents: You may obtain one or more (depending on the state) additional copies of your credit report, free of charge. You must contact each of the credit bureaus directly to obtain such additional report(s).