Artificially Intelligent with Sam Maule and Maia Bittner

Exposing Vulnerabilities: Evolve Bank's Breach and the Fintech Trust Challenge

Sam Maule, Maia Bittner, Rachel Morrissey

Send us a text

Can a single phishing attack lead to the financial ruin of millions? Brace yourself as we uncover the catastrophic data breach at Evolve Bank, orchestrated by the infamous LockBit ransomware group. Maia and Sam dissect this digital disaster, where a simple phishing scam blew open the floodgates, exposing the personal identifiable information (PII) of millions of Americans on the dark web. This breach isn’t just a wake-up call; it's a seismic shock, revealing glaring loopholes in our current security measures. We commend Jason Mikula for his fearless reporting on this issue, even under the looming shadow of legal threats from Evolve Bank.

The breach at Evolve Bank has sent shockwaves through the fintech industry, triggering a wider trust crisis. Imagine the chaos when social security numbers and other unchangeable PII are compromised. Drawing from the notorious Equifax hack, we stress the urgent need for robust, multifaceted security measures. We discuss the ripple effects impacting services like instant payouts and buy-now-pay-later schemes and scrutinize Evolve's lackluster response compared to the proactive stance of industry leaders like Max Levchin of Affirm. Join us as we call for better handling of such existential threats to sustain consumer trust in fintech innovations.

Hosts: Sam Maule & Maia Bittner


Sam Maule:

Hey everybody, welcome to another episode of Artificially Intelligent. I am one of your interns, Sam Maule. I am joined by Maia in the sunny West Coast. I'm guessing, Maia, it looks sunny behind you. How are you doing?

Maia Bittner:

Beautiful day today, welcome back. Welcome back. I'm excited to be jumping on and learning more things with you today, Sam.

Sam Maule:

Yeah, I live in Florida everybody, so you never know day to day what it'm excited to be jumping on and learning more things with you today, sam. Yeah, I live in Florida everybody, so you never know day to day what it's going to be like. We're tracking this Cat 5 hurricane. It's just another day in Florida, Maia, but we have the equivalent of a Cat 5 hurricane happening in the fintech community. How is that for a segue? I am so proud of myself with a hurricane segue Because there's this famous quote by Mr Lennon that says there are decades when nothing happens and there are weeks when decades happen. And the past few weeks have felt like decades in the fintech community, Maia.

Maia Bittner:

You know, and none of it is good. We have had no good news. It's not like there's all kinds of news happening. No, it's really only bad news, which I think is probably most often the situation when people pull out that quote.

Sam Maule:

I mean, let's start with what's happening with this incredible data breach that took place. Initially, the news was that LockBit, this ransomware group, had hacked the Federal Reserve and had something like 33 terabytes of data, but what we've learned over this decade of the past week or so is that this is Evolve Bank that had the data breach and basically PII data is now sitting out in the dark web for a ridiculous number of people and it affects a ridiculous number of fintechs. I've basically been chugging anti-acid medicine, I think, for the past week, every time I read one of these reports. Maia.

Maia Bittner:

Well, sam. So first clarify some of the basics for me on this. When I hear right LockBit, the ransomware group they release the data on, I think, millions of Americans, pii, social security number, all that Basic question does that mean that they asked Evolve for a ransom and Evolve did not pay up? So this was the consequence, or what do we know about how this situation played out? I mean, of course, having the data breach happen in the first place is not ideal and that's what we want to prevent. But do we know?

Sam Maule:

what happened right after. I think it's still somewhat hazy, but here's my understanding is that Evolve did determine that they had a data breach going back to May of this year. The data breach was caused by take a guess Maia. How do you think this data breach started? How does every data breach start?

Maia Bittner:

So it depends on what decade we're talking about. So it depends on what decade we're talking about. If it was the 90s, a data breach happened because somebody left their laptop on the bus on the way home to work. If it's the 2000s, but yeah, I mean, uh, they could have been spearfished yeah, in this case it was clicking on a link.

Sam Maule:

Right, an employee clicked on a link. Those wonderful phishing attacks that opened up the gates, that allowed lock bit to get in um lock.

Maia Bittner:

It is interesting. So, and back up a little bit, we've talked about this. Um. So an employee clicked on the link terrible, totally. Like everybody gets trained not to do that. But how much freaking access did this employee have, you know? Like was this and was this the CEO? Like it's not. Like every lay person at a bank has access to the PII for a million. And you know, a good system, besides having layers of permissions and things like that, has a lot of rate limiting in place, so that there are some employees who are allowed to look at the social security number for any customer, but if they look at more than like 100 in an hour, right, you start to shut that system down.

Sam Maule:

Yeah, I mean, it's unbelievable. I mean the unfolding drama. I guess one of the best places is to follow Jason Mikula, who we both know and love.

Maia Bittner:

Jason is the expert here.

Sam Maule:

Man. He's done an incredible job of reporting on this. Yeah, on Twitter, so much so that he's received a cease and desist order from Evolve Bank. Bless you, jason. But yeah, I mean, it even appears that they were able to hack into a large volume of their internal emails. Something like 9.9 gigabytes of PST files, which is basically Outlook data files are sitting out there.

Maia Bittner:

Why do they even have like don't? I mean many companies right sort of delete all their emails every three months or six months or a year. Right, it's like why was there access to so many emails?

Sam Maule:

It is just it's amazing. It's like why was there access to so many emails? It is just it's amazing. I'll tell you what we need to do a show sometime just on ransomware companies, because I went out and did a little bit of reading about LockBit and it's fascinating. They're basically, you know how you have banking as a service and software as a service. So LockBit is ransomware as a service, so is a business. Everybody, um, and and this group is flipping really, really good about good at it they're the world's most politic ransomware. Um, I guess firm, I don't know a better way of saying it group.

Maia Bittner:

I guess it's a ball. It is all about incentives, right, and the thing is we not want nobody wants social security numbers released on the dark web. It's not good for anybody, right? And I'm including LockBit. Lockbit isn't profiting off of having social security numbers on the dark web. Americans are obviously going to get screwed from this, and so that's what I'm saying. This is really kind of the worst case scenario. That's what I'm saying. This is really kind of the worst case scenario.

Sam Maule:

Oh, it's horrible. What's interesting is, again, we believe the hack occurred toward the back end of May. In the first week of May the US government actually charged the founders of Lockpit, which is a Russian national Shocker, basically put a $10 million bounty on their head. So yeah, of all things right, I mean just we're talking weeks before this hack even happened. You know the US government basically was going out for them. So I mean, again, like we said at the beginning, there are just some weeks where you're like man, could we use a little good news? You know, just a little bit.

Maia Bittner:

Well, and Evolve so, really, honestly, a great target for LockBit. They're in this really interesting vulnerable position, right. So my guess Evolve is a small bank in the scheme of things, right, if you compare it up to Chase Bank of America, they are a small bank. They probably do not have the same. We know that they don't have sufficient security practices, right. They don't have the IT staff that one of these bigger banks has. But on the flip side, evolve has built their business as a partner to fintech companies. So Evolve is probably the number one biggest partner bank that supports fintech programs. They power a bunch of banking as a service software platforms, right. So those are the. Evolve is the bank behind a bunch of software platforms, including infamous Synapse. That powers a bunch of other programs as well as just working directly with really big companies like Affirm and Stripe.

Sam Maule:

Yeah, I mean Evolve. I was just looking at it now. I mean, you know, when we think of the big boys, evolve is based out of Tennessee, if I remember right. You know this is sub $5 billion in assets when you talk about total assets for the bank, so a small bank, but a massive player.

Maia Bittner:

Durban exempt.

Sam Maule:

Yeah, I mean massive player, though when it comes to fintech, I mean the number of companies that they service is I mean you're talking. Affirm Earning Marketta. Lord Alloy Bond Branch. Dave Melio, mercury Love.

Maia Bittner:

Mercury Mercury, I think Mercury previously, but not currently.

Sam Maule:

Yeah, not currently, and I think that's a good point.

Maia Bittner:

Yeah, with Mercury, although I'm curious. So if Mercury customers I mean presumably if personal information was hacked, evolve still has all the personal information from Mercury customers, even though they have since switched off it, unless, as part of their switching, they I mean I honestly I don't even think you can request that data be deleted. I think the banks need to keep that data in order to comply with regulations and for future reporting, and so it stems the damage. It makes Mercury look good that they've moved off of Evolve. Anyone who's signed up super recently will not have been a victim, but it seems like most Mercury customers are still impacted by this, as well as anyone else who has moved off of Evolve.

Sam Maule:

Did you get a chance to read the post by Supes over at Sardine AI? Nope, when he talked about this.

Maia Bittner:

What did he say?

Sam Maule:

It's fascinating. He did a. Supes went on a thread rant about this a couple days ago. So everyone doesn't know. Supes is the founder of Sardine AI, which is again in this. You know the AML KYC space and fraud. Very fascinating one because he's like you. Please understand. The second your social security number is compromised. It's compromised. There's no tokenization around your social security. There's no way to go out and get a new SSN issued, right, or an EIN. I mean it's again. We are in this day and age. We talk about this in banking all the time, but this extends far beyond banking. What we rely upon for PIA data is data that can't be changed your date of birth, your social. You know I mean, let's go back to the day right, your mother's maiden name, your favorite hobby. I guess you can change your favorite hobby. You can't change your mother's maiden name. You're not changing your date of birth, you're not changing your social, you know. I mean, just like you said, when that PII data is out there, it's out there, I mean- there.

Maia Bittner:

I mean it's just game over. I mean, honestly, it's like after after the um equifax hack, a lot of that is out there anyway. Um, I think, frankly, this is not the first time that we've realized, like, look, we cannot depend on social security number, on knowing social security number, as proof that somebody is who they say they are and a proof of their identity. Right, we got to step up it, like has to. It's an arms race and it's got to continue to be multifaceted. I know other data that was leaked that is a little bit less sensitive, but the full 16 digit card numbers referred to as the pan. I think a firm just confirmed that their card product is totally compromised. That's kind of rough right. There's a lot of protections baked into cards. People can get those reissued, but it's a huge pain in the ass. A lot of settlement files, ach files, I think, even people who did not have an account at Evolve but who sent a transfer to somebody who has an account at Evolve. Some of their information has been compromised too.

Sam Maule:

That's what makes this interesting, because that's where we've gotten in the gotten. I don't think that's great English, everybody. That's where we're at now, in 2024, with FinTech. That's part of the skin in the game level that we're at, because we're talking about banking as a service, or blank as a service. There's multiple layers of integration, right, I mean, I'm, I'm a bank, I am servicing, say this, this, this payments company, and then there's a kyc vendor that sits out there and a fraud vendor that's out there and take your pick, and so the spider webs of tracking this back to figure out the impact is the CSI for fintech and hacks like this. That's a business model. That's something I should have gone into. But again, everybody, I like what Maia referenced when you talked about Equifax. That was back in 2017, the hack that occurred there.

Maia Bittner:

Again. This isn't new. We already lost everybody's social security number. Let's be real.

Sam Maule:

It wasn't secret, amen, it wasn't secret, we it wasn't secret.

Maia Bittner:

We lost it again. Um, but this is I mean it's really far reaching my well one of my biggest concerns. I mean, sam, this is our industry, right? You, you and I have kind of bet our careers on FinTech and this is a huge trust-breaking moment. Um, equifax lost a lot of trust in the breach, but people can't really decide whether they're a part of Equifax or whether they're using it or not. The credit bureaus do not have strong consumer brands, right?

Maia Bittner:

They are mostly, and so that was sort of a side A lot of this consumer stuff. I mean, dude, everybody who gets instant payouts from Uber I think they might have been affected because Branch, the payments provider there, was powered by Evolve. I mean FinTech, like all of the stuff that people love from FinTech, which is those instant payouts, right, which is fee-free banking, which is all that stuff that Stripe does, which is buy nowfree banking, which is, um, all you know all that stuff that stripe does, which is buy now, pay later from a firm. Like there's a ton of consumer demand for this. But this is kind of a big trust-breaking moment and I gotta say I mean, ever the social security numbers were out evolve as a small bank. They don't have the it. I can be a little bit understanding for some of the stuff with the, with the hack, but the comms has been abysmal people are getting emails, the timing, the confusion.

Maia Bittner:

It seems like nobody knows exactly what happened. Um, I am getting my phone is blowing up with text messages from people saying, hey, I bank with mercury. Like am, is my money at risk? Hey, like I have an Affirm card, what do I need? Like nobody is on top of this stuff and Evolve is way behind the ball. I mean, you kind of casually mentioned the cease and desist against Jason for reporting. I feel like that shows how much they've sort of lost the thread on this.

Sam Maule:

Yeah, I'm with you on that one.

Maia Bittner:

They're out of control it's interesting.

Sam Maule:

Yeah, I mean, and that was a Twitter thread that was going on when Jason was talking about this and he literally mentioned something about a firm and Max Levchin, right out in the blue, replied to Jason and said yeah, if there's anything you can do to give me more information to help with this, I give Max Levchin props for that Right. Get out in front of this Wise has done that.

Maia Bittner:

Max has had great comms throughout this.

Sam Maule:

I'm a big everybody just so we can get past this. I'm a Max Levchin fanboy, so I like Max.

Maia Bittner:

I think he's brilliant One of the PayPal mafia. Everybody Very good at what he does.

Sam Maule:

And proved that buy now, pay later was a real thing, because everyone yeah.

Maia Bittner:

Through, like it feels like Max's, like force of will.

Sam Maule:

Yeah, max, come on the show. Come on, baby. Would love to interview. But yeah, I think he did a fantastic job jumping in front of this. Wise has done the same thing. You know, on the comms part, I think Mercury has done a good job, mercury has been excellent, you know.

Sam Maule:

I kind of you know. I think it evolved. I think you positioned this correctly when Equifax had this you know, massive hack everyone back in 2017, and they were fined. I think it was like $1.3 billion, if I remember. It was a chunk of change. They had to pay out the door. Equifax can survive that. Evolve is not a large bank they aren't and on top of this, they had the whole Synapse debacle, which was also happening, this whole reconciliation issue that they had. They had the OCC come at them with the. You know they got nailed there and then you know just not that I think it was yesterday or the day before. You know, now you've got congressmen more or less coming after Evolve too. You know it's been reported. So some rough days in Tennessee, I think, right now.

Maia Bittner:

Rough days. So we have. So there's a couple of weaknesses that have been highlighted by recent events. So one we've got like a concentration risk in the fintech ecosystem. So many products were powered by Evolve on the backend, that then, right, with this one hack, it's taken down like a ton of the fintech industry including. Well, yeah, so that's one risk.

Maia Bittner:

A second risk, you know, having these sponsor banks, since it's so difficult to get a bank charter and to be regulated, as a bank in the US has had all these interesting things. So the sponsor banks don't really have the end customer relationship, and that's what the fintechs want. They say, hey, we want to own the customer relationship and all the communications with them and we just want to kind of rent out your bank charter. Well, we're in a weird ass position now where, like, even a bunch of the startups that were backed by Evolve have shut down, right, so they don't even exist anymore.

Maia Bittner:

Their customers' information was leaked in the Evolve hack. Well, who's sending out the emails? Who's sending out the notification? Is it Evolve, this company that they may not have even heard of before? Right, it's got that small print at the bottom you signed up for a Glorify account and there's this tiny print that are like banking services provided by Evolve, na, like whatever the whole thing, and then you get an email from them out of the blue. So I feel like the customer comms piece has just been done really poorly, both because we have like a little bit of incompetence, but also just as a structural weakness like this is the way that the fintech ecosystem is structured. It's a lot of benefits to separating out the customer relationship to be owned by the fintech, but this is we're kind of seeing one of the weaknesses too, particularly if the fintech is shorter lived than the bank, which is going to be the case. It's almost by design that banks are pretty hard to fail in the US.

Sam Maule:

Yeah, I think there's a great quote in paymentscom today. It was from Thread CEO, jim McCarthy. Thread being T-H-R-E-D-D. Welcome to FinTech. There's so many companies named the same thing, but this is a good quote. He said the regulators are now awake. Too many people are focused on the as a service part but have minored in the banking part of it all. If you're going to play in that space, I'd argue that if you fail at the banking part, the service piece doesn't even matter. Yeah, yeah, 100%. There's a lot Like what Wade Arnold, the founder of Move Railwork, says there's a lot of fin in fintech, but there needs to be a bit more. You know, what I find really interesting about this is way back in the day, when I was on subs bouncing around under the ocean, we had what we called casualty operating procedures. They were cops, Maia, and there were these 13 manuals that basically addressed every single situation that would take our guidance system down and not allow us to launch nuclear missiles.

Sam Maule:

And they were step-by-step manuals that, by the way, as the navigation supervisor where I worked, I had to have them memorized. I had 13 manuals. I knew every step, every step, and we practiced. We did drills. Practice just didn't sound like the military. We drilled on them over and over again. We'd do them in the dark. We'd do them with our air mask on. We would do them while diving deep. We'd do them with our air mask on. We would do them while diving deep. We'd do them while doing an emergency surface. We would go through every scenario and they would constantly get updated because we'd think of another terrible thing that could happen, because essentially, we could end the world. That was, the job of the submarine was to launch nuclear missiles, you wonder.

Sam Maule:

Dude, it doesn't look to me like Evolve that I'm just gonna say it might be good, everybody yeah critical large data leak.

Maia Bittner:

What do we do? What's step one?

Sam Maule:

yep, yep, yep, because right now you've got about five or six different things hitting all at the same time. I get it, I understand, I feel your pain, but man, everybody, um, let's do better.

Maia Bittner:

Their leadership team is going to get some ulcers.

Sam Maule:

Yeah, I'll say this, Maia, and this even ties back to the Synapse debacle that was going on. When you read, we have to remember, at the end of the day, we're servicing real people, whether they're small businesses or individuals, consumers who can't access the money they put into synapse, you know, and say, hey, I'm out $30,000. I'm actually suicidal, I believe that was one of the letters.

Maia Bittner:

I mean it's unacceptable.

Sam Maule:

That's at the end of the day. We have a fiduciary and ethical responsibility. I'm preaching everybody, but I don't care.

Maia Bittner:

We have a fiduciary and ethical responsibility to do better to remember who we're servicing Ethical and, frankly, regulatory responsibility to do better, to remember who we're servicing. Ethical and, frankly, regulatory responsibility yes give people access to their funds.

Sam Maule:

So everybody, let's do better. Okay, how's that?

Maia Bittner:

let's do better let's wrap this up I know we're in the middle of this, we don't even know all the consequences exactly, yet still unfolding but excited to keep an eye on it. Hopefully it doesn't take down the whole industry. Hey, that would be nice.

Sam Maule:

Please don't I like working here everybody. Hey, go out and read Jason Malika's. Oh, jason, come on, mikula, sorry, jason, I keep trying. Great Twitter feed. There's others that are reporting. Great, a lot of reporting going on right now. The story is unfolding, even some of the things that we talked about we're going to get more clarity on. But again, everybody, let's just do better. Hey, thanks for listening. Really, we really do appreciate it. We love this space. Like I said, Maia and I just keep learning, right, Maia? I mean, every week something new comes up. It's fascinating.

Maia Bittner:

You know it's fun when there's so much drama.

Sam Maule:

Yeah, drama Drama's fun as long as it's not your drama or mine. Hey everybody, have a great week.

Maia Bittner:

So thanks so much for listening to another episode of Artificially Intelligent part of the Money 2020 Network. We will see you next week.