Customers of British fintech startup Revolut are at heightened risk of phishing after hackers obtained the personal information of tens of thousands of them.
The app-based bank told the Lithuanian data protection authority that the data of 50,150 customers was affected by the incident, which exposed names, addresses, emails, telephone numbers and parts of payment card data. Less than half the affected customers are located inside the European Union plus Norway, the company disclosed. Revolut, founded in 2015 and dubbed “the U.K.’s most valuable fintech startup” obtained a banking license through Lithuania in 2018.
“To be clear, no funds have been accessed or stolen. Our customers’ money is safe,” a Revolut spokesman told Information Security Media Group. He also said there is no evidence that the bank’s leaked data has appeared on the dark web.
Simon Vernon, head of research and development for the SANS Institute, tweeted a screenshot of a phishing message that he received Monday from fraudsters attempting to capitalize on the breach. The message directed users to click on a malicious link, revolut-card-cancel.com.
Twitter user [email protected] said he received a similar message, to which the company responded, “Revolut will never ask you to verify your identity via SMS, as we have other ways to do so.”
The company provided further guidance on how to avoid phishing and other common scams in an earlier blog post.
Revolut did not disclose additional details of the cyberattack, although it acknowledged that some of its 20 million customers are affected by the breach, which took place on Sept. 11.
A Reddit user posted about receiving an email notification from Revolut tied to the cyberattack. “You do not need to take any action, however, we wanted to let you know, and sincerely apologize for this incident,” the email notification reads.
Revolut’s spokesperson declined to divulge the number of customers affected or what details were compromised in the attack but said, “We can confirm that passwords and PINs, complete payment card numbers, and identity documentation such as passport/driving license were not accessed.”
The Lithuanian data protection authority launched its own investigation. Revolut has also established a special team that will oversee customers’ accounts and ensure the safety of their money and data.
Chat Window Defacement
Around the same time that Revolut states attackers had unauthorized access to its systems, users reported that the company’s help chat sent offensive messages to site visitors.
Reddit users thought the sender was an angry employee of Revolut. The company’s support team responded to this thread, saying, “We’re aware of a number of users that received inappropriate wording via chat this evening. We are addressing the issue and are taking steps to ensure this does not happen again. We apologize for any offence caused by this.”
Although the defacement suggests that attackers possibly gained access to a variety of systems used by the company, a link between this incident and the data breach announcement by Revolut could not be confirmed.