Affirm payment customers compromised in Evolve Bank hack


US fintech Affirm announced on Monday that its customer's information may have been exposed in last week’s cybersecurity attack on Evolve Bank and Trust, filing an official disclosure report with the US Securities and Exchange Commission.

Affirm payment cards, which are issued by Evolve Bank, offer its 1 million active card holders a ‘buy now, pay later’ financing option.

Evolve Bank was forced to admit to a data breach on June 26th after sensitive data was leaked online by the notorious LockBit criminal group in a dark blog post the same day.

The Arkansas-based consumer Banking-as-a-Service and mortgage lender is known for its third-party banking partnerships with several fintech platforms, including not only Affirm, but others such as Mastercard, Visa, Melio, Mercury, Stripe, Wise, and Airwallex, many of which also have announced investigations into the Evolve breach impact.

On June 26th, Affirm Holdings alerted its cardholders that the Evolve cybersecurity incident “may have compromised some data and personal information Evolve had on record.”

The fintech stated that although Affirm shares the personal information of its card users with Evolve Bank for issuance purposes, Affirm systems were not compromised.

The company further clarified its statement for customers Monday on X posting, “We’ve posted an FAQ for Affirm Card users who may have been impacted by Evolve Bank and Trust’s cybersecurity incident.”

The FAQs noted that customers who do not have an Affirm card, are not impacted. Affirm installment loans were also unaffected.

“If you do have an Affirm Card, we’re still investigating and we will have your back,” the company further informed customers.

Affirm also stated that there was no direct impact on “our merchant and other partner integrations,” which has no involvement and is separate and distinct from Evolve Bank.

“Rest assured, your Affirm Card and Affirm Money Accounts are still working and safe to use,” the company announced last week.

The company also said as soon as it became aware of the Evolve breach on June 25th, it “immediately began an investigation to determine if any Affirm consumer information had been compromised, and we are continuing to look into this.”

Affirm Evolve cyber incident
Affirm.com. Image by Cybernews.

Evolve had informed its banking customers that LockBit's “illegally obtained data” may have included personally identifiable information (PII) such as name, Social Security Number, date of birth, account information, and/or other personal information.

The Russian-linked ransomware cartel had leaked the stolen information on their dark web blog on June 26th, claiming it was data stolen from the US Federal Reserve without further explanation.

Affirm recommended that customers can further enhance the security on their accounts by:

  • Resetting your card PIN in the Affirm app
  • Setting up free fraud alerts from nationwide credit bureaus
  • Monitor for unusual activity on your Affirm or Affirm Card account
  • Remain alert for unsolicited communications involving your personal information.

Affirm reiterated that any affected Affirm Card users are protected and will be notified directly in future communications, and any updates will also be posted here.

Headquartered in San Francisco, Affirm Holdings was founded by PayPal co-founder Max Levchin in 2012. Affirm's annual revenue for 2023 was listed as more than 1.5 billion dollars by Macrotrends.

This investigation, along with remediation efforts, is ongoing as of July 1st, Affirm said.