January 1, Russian Hackers Breach Evolve Bank, Spurring Nationwide Financial Data Crisis

In a drama that could have been torn from the pages of a Tom Clancy novel, a major breach in our nation’s cybersecurity infrastructure unfolded recently. The Arkansas-based Evolve Bank and Trust announced that it had suffered a “cybersecurity incident” perpetrated by the infamous Russian ransomware group, LockBit, resulting in the theft of customer data.

Contrary to initial claims made by the hacker group that pointed to the Federal Reserve as the victim of their attack, it was indeed Evolve Bank and Trust customers, along with its associated FinTech partners, who bore the brunt of this cyber onslaught. The stolen information reportedly includes customer names, Social Security numbers, birthdates, and scanned copies of driver’s licenses and IDs.

The magnitude and potential impact of this cybersecurity breach is alarming. Given Evolve Bank and Trust’s critical role as a bridge between traditional finance and innovative FinTech startups, and the interconnectivity of modern financial systems, the ripple effects of this attack are far-reaching. Major financial firms such as Wise, Mercury, Stripe, and Affirm, among others, have already needed to alert customers of the potential compromise of their data.

The situation is further complicated by the impending bankruptcy of Synapse, a fellow banking provider, which acted as an intermediary between FinTech firms and traditional entities like Evolve. Senators Sherrod Brown, Ron Wyden, Tammy Baldwin, and John Fetterman recently demanded Synapse ensure its customers are compensated, pointedly addressing Evolve in their communication. This cyberattack will undoubtedly add fuel to this fire.

Two notable concerns arise from this disconcerting event. The first is the sheer scale of the ordeal; the list of Evolve’s FinTech partners encompasses some of the country’s largest institutions, affecting potentially hundreds of millions of citizens. The true extent of the damage can only be measured once companies disclose who has been affected.

The second concern revolves around the substantial personal and private data these companies are legally obliged to collect under various federal mandates, such as the Bank Secrecy Act, the PATRIOT Act, the FDIC Customer Identification Program, the Dodd-Frank Act, and the newly enacted Corporate Transparency Act. These acts require that customers hand over considerable amounts of information, which financial institutions must retain. This is the very data that the Russian hacking group could potentially now own.

The threat of identity theft looms large as criminals link this information with other online breaches. Users are already reporting phishing scams resulting from the hack, and the possibility of more leaked information still exists.

Amid this debacle, Evolve Bank targeted FinTech Substack writer Jason Mikula, who has been diligently covering the breach, with a cease-and-desist letter threatening legal action if he reveals any information related to the hack.

This incident raises serious questions about the efficacy and potential dangers of the government’s current approach to financial regulation, especially those concerning Know Your Customer and anti-money-laundering laws. We should ponder if the existing laws are endangering us more than they are protecting us. Legislatively enforceable penalties for hacks that jeopardize our private information could be more effective in combating cybercrime than additional regulation. Policies promoting encryption, penalizing offenders, and reducing data collection might be more beneficial in safeguarding consumers from future damage.

As our loyal readers, we encourage you to share your thoughts and opinions on this issue. Let your voice be heard and join the discussion below.

Source