Evolve Bank & Trust

Summary

In February and May 2024, LockBit 3.0 ransomware gang accessed Arkansas-based Evolve Bank & Trust systems, exfiltrating personal information of 7.6 million individuals including names, SSNs, bank account numbers, and contact details. The breach affected personal banking customers and Open Banking partners including Wise (which had severed ties), Affirm, and Mercury. Evolve refused to pay ransom, leading to data publication online. The bank offered affected individuals two years of free credit monitoring and identity protection starting July 8, 2024.

What Happened

LockBit 3.0 accessed Evolve's databases and file shares during February and May 2024. Initially appearing as hardware failure in late May, investigation revealed unauthorized activity. The bank confirmed the incident July 1 after LockBit published stolen data.

Impact on Individuals

7.6 million individuals had SSNs, bank account numbers, and personal information exposed, creating severe identity theft and financial fraud risks.

Organisational Response

Evolve refused ransom payment, notified affected individuals, and offered two years of free credit monitoring and identity protection. Class-action lawsuits were filed.