The money transfer and fintech company Wise announced on Friday that some of its customers’ personal data may have been stolen in the recent data breach at Evolve Bank and Trust.
The news highlights that the fallout from the Evolve data breach on third-party companies — and their customers and users — is still unclear, and it’s likely that it includes companies and startups that are yet unknown.
In a statement published on its official website, Wise wrote that the company worked with Evolve from 2020 until 2023 “to provide USD account details.” And given that Evolve breached recently, “some Wise customers’ personal information may have been involved.”
“We’ll be emailing all Wise customers who we think may have been affected by this data breach directly,” the company wrote.
Wise said that it shared U.S. customers’ personal data with Evolve, information that included names, addresses, date of birth, contact details and Social Security numbers or Employer Identification Number. For non-U.S. customers, Wise also shared “another identity document number.”
At this point, it’s unclear how many Wise customers have been affected, as the company wrote that it is still “actively investigating.”
Wise did not respond to a request for comment asking to clarify how many of its customers had their data stolen.
When reached by TechCrunch for comment, asking whether Evolve knows how many partner companies — old and current — and end users have been affected by the breach, and whether Evolve has already contacted all of them, Evolve spokesperson Eric Helvie declined to comment and referred to the company’s official statement on its website.
As of this writing, the statement says Evolve “continues to work around the clock to respond to the recent cybersecurity incident” and promises to provide further updates. The company said the breach was a ransomware attack by the LockBit cybercrime gang, due to an employee clicking on a malicious link in May of this year.
“There is no evidence that the criminals accessed any customer funds, but it appears they did access and download customer information from our databases and a file share during periods in February and May,” the statement read. “The threat actor also encrypted some data within our environment. However, we have backups available and experienced limited data loss and impact on our operations.”
The company also promises to directly notify “each individual whose personal information was affected.”
So far, Affirm, EarnIn, Marqeta, Melio and Mercury — all Evolve partners — have acknowledged that they are investigating how the Evolve breach impacted their customers. On Monday, fintech reporter Jason Mikula shared on X a notification that Branch, another Evolve partner, had sent to a customer. Branch has yet to respond to repeated requests for comment from TechCrunch.