BOOK THIS SPACE FOR AD
ARTICLE ADAffirm cardholders beware! Data breach at Evolve Bank, the issuer of Affirm credit cards, may expose personal information. Learn what details could be at risk, what to do to protect yourself, and how to stay informed.
Affirm cardholders are being urged to remain cautious after US-based financial technology firm Affirm Holdings (AFRM) confirmed a potential third-party data breach impacting their customers. The concern stems from a cyberattack on Evolve Bank and Trust (EBT), the third-party issuer of Affirm credit cards.
While the exact scope of the breach remains under investigation, Reuters reports that customer data was illegally released on the dark web. According to Bloomberg, EBT’s data was posted on the LockBit 3.0 cybercrime group’s dark web site on June 25th after which the bank disclosed the incident on June 26th.
The buy-now, pay-later (BNPL) services provider, Affirm, released a statement on July 1st, explaining that it is investigating a “cybersecurity incident” involving EBT, assuring that their own systems were not compromised in the attack and Affirm cardholders can continue using their cards as usual.
“Evolve Bank disclosed that it suffered a cybersecurity incident in which a cybercriminal organization illegally accessed and obtained some personal information of Evolve retail bank customers and those of its financial technology partners, which includes Affirm,” the company noted.
Affirm also confirmed that customers without an Affirm card and Affirm instalment loans were safe; Affirm Card and Affirm Money Accounts are still functional and safe to use, and merchant and partner integrations have no direct impact as they are separate from Evolve Bank.
In its press release dated July 1st, EBT acknowledges that customer information “from our databases and a file share,” which may include personal data like names, Social Security numbers, dates of birth, account details, and contact information but does not include customer funds, was accessed during a period between February and May 2024, which was detected by EBT in May 2024.
The attacker also encrypted some of its data but since they had backup, the company refused to pay ransom after which they leaked it, wrongfully claiming the Federal Reserve Bank as the source, EBT explained.
Known for its partnerships with fintech platforms like Affirm, Mastercard, Visa, Melio, Mercury, Stripe, Wise, and Airwallex, EBT is currently investigating the breach impact with help from the law enforcement agencies. Affirm has also launched an independent investigation to determine the full impact of the incident.
Just two weeks prior to the breach, regulators had issued an order citing concerns about its risk management practices and demanding stricter oversight for future partnerships. This incident raises serious questions about EBT’s ability to safeguard customer data.