Evolve Bank data breach: what we know and how to protect yourself

On the 26th of June 2024, Evolve Bank & Trust announced that it was involved in a data breach.

Even though data breaches are common (see EasyJet), when a financial institution containing incredibly sensitive personal data gets hacked, it’s much more concerning.

Further, because Evolve provides services to many FinTech companies, even if you’ve never heard of Evolve, you might be surprised to know your data might have been leaked. Evolve provided services to the likes of Wise and Mercury Bank.

I, along with probably millions of others, have been affected. So I wanted to write an article to share what is known so far about the breach and what we should do to stay safe.

What data was exposed in the Evolve breach

This will depend on each specific financial institution that partnered with Evolve, and what data they required to share with Evolve to provide services. You should be contacted by any company that might have been involved soon enough, if not already.

For now, I’ll take Wise as an example, as they are one of the most well-known and they’ve made a public statement. According to their statement, the following might have been leaked to the dark web:

• Full name
• Address
• Date of birth
• Contact details (email and phone)

And one of:

• Social Security Number or Employer Identification Number, for US customers
• Identity document number, for non-US customers

At this point, it’s important to mention that as far as we know, photographic copies of ID documents like passports or driver’s licenses have not been shared, only their numbers. This was confirmed in the email Wise sent customers yesterday:

How to protect yourself after the Evolve breach

I’ve previously written about how to protect yourself after a data breach. While those measures still apply, when the breach involves banking details, we need to take extra precautions.

For US citizens

This is the most affected group, because SSNs can be used in identity theft. You can take the following steps to protect yourself:

Register for new credit alerts

Register for an account with a Credit Scoring Agency, and keep an eye out regularly for new accounts opened in your name. Some sites like Credit Karma allow you to set up alerts for this. I recommend setting this up.

Place a Fraud Alert

If you do notice anything new and unrecognised account in your name, you can set up a “fraud alert” on your credit file by contacting one of the credit bureaus: Experian, Equifax, or TransUnion.

For everyone

If you’re a US citizen and already considered the above steps, and for everyone else, I recommend some general security practices to stay safe.

Besides the generic online safety practices like having unique, random passwords for each account, consider the following:

Remain vigilant

Wise recommends that you keep an eye out for activity on your accounts that might have been linked to your Wise USD account, or to whichever account you have that partnered with Evolve Bank.

Do not share any personal information over the phone or via email. Your banks should have all the information they need about you already.

Hang up, call back

Remember your email and phone number might have been leaked, along with your banking details, so if anyone calls you and knows a lot about you, don’t assume it’s a bank or financial institution straight away. Hang up, and call them on a number displayed on their official website.

Take your time

Scammers that try to impersonate financial institutions usually want you to act quickly, so you don’t have time to think. It’s okay to say no, take time to consider and come back later.

For more resources on preventing Financial Fraud, I highly recommend Take Five To Stop Fraud.

This data breach, like all others, is regrettable. But with the right mindset, actions and tools we should be able to fight back against cybercriminals.

If you have suggestions on how to keep people safe, more recent information or questions about this article, please contact me.