We've gotten used to data breaches. When a new one happens, financial institutions trot out the same advice to their customers: freeze your credit, consider an identity monitoring service. And consumers, for the most part, just ignore them. "My data's already out there anyway," goes the common refrain.
But the latest major data breach represents a different sort of threat – one that we think neither financial institutions nor consumers yet fully appreciate.
What happened?
In late May, Evolve Bank and Trust suffered a ransomware attack as the result of an employee clicking on a malicious link. When the bank refused to pay the ransom, the attackers leaked a large amount of data: "customer information from our databases and a file share during periods in February and May," according to Evolve.
The full extent of what's contained in the breach is still unclear, but the leak appears to have been significant. Per reporting from fintech advisor Jason Mikula, it contains data ranging from customer PII to bank account and routing data to internal emails from Evolve employees.
Why this breach is different
It's the apparent combination of PII and bank account data that makes this breach different from other data breaches, and potentially enables a different type of fraud than consumers and FIs may be expecting.
Typical data breaches often provide identity thieves with a customer's PII, but they don't generally include account information such as a bank account number and routing number. Without that account information, there's no easy way for a fraudster to access the victim's bank accounts. Account information can be obtained in various ways (check theft, dark web data purchases, etc.) but fraudsters will often take the easier route, using the leaked PII to apply for credit in the victim's name. That's why FIs and other experts often advise consumers to freeze their credit in the wake of a data breach.
In this case, however, the leaked data appears to include both PII and account information, which might enable fraudsters to easily access and drain victims' bank accounts. To understand how that could work, we need to look at how bank accounts are funded and linked.
How account linking could enable account draining
When a consumer opens a new bank account, they often fund it by linking it to an existing account, enabling them to transfer funds easily between the two. This requires the banks to confirm that the consumer is the rightful owner of the account being linked, and there are three common approaches to doing this:
- Microdeposits. Bank 1 (newly opened account) puts several small deposits into Bank 2 (linked account) and then asks the consumer to confirm the specific amounts deposited as a way of confirming their ownership of the Bank 2 account.
- Account aggregator verification. Bank 1 uses a third-party service that requires the consumer to log in via their Bank 2 account credentials to confirm account ownership.
- Account numbers and EWS verification. Bank 1 asks the consumer for the account number and routing number to the Bank 2 account. Bank 1 then passes this information, along with the consumer's name, to Early Warning Services (EWS), which checks that the name on the Bank 2 account matches the name on the Bank 1 account. If it does, the link is confirmed.
It is this third approach that represents a potentially novel problem in the context of the Evolve breach. If an identity thief can find a consumer's PII and their bank account information in the leaked Evolve data, they could use that information to drain funds from the customer's existing accounts – potentially including the funding account that has no direct connection to Evolve. Here's how it could work:
- The fraudster uses the leaked PII to open an account at Bank 2 in the victim's name.
- The fraudster uses the leaked account and routing information to request a link between the Bank 2 account they just created and the victim's existing account at Bank 1.
- Bank 2 processes the link request via EWS, and because the names on both accounts match, EWS returns a match and the link is confirmed.
- The fraudster can now use the link to pull funds out of the victim's real account at Bank 1 and into the account they control at Bank 2.
And unfortunately, the traditional "freeze your credit" advice given to consumers doesn't protect their accounts against this type of attack. Consumers victimized by this type of fraud would often not even be aware that a new account has been opened in their name.
It's not just Evolve customers who may be at risk
Evolve is a major ACH originator, which means the leak could contain bank account data for a large number of consumers – potentially millions or tens of millions – who don't have accounts with Evolve, and put accounts that have no direct connection to Evolve at risk.
For example, if a consumer has opened an account at a bank that is an Evolve customer, and funded that account from an account at a different bank that is not an Evolve customer, the funding account could still potentially be compromised and drained.
Many of these consumers may not even be aware that their data is at risk.
What's next
As of this writing, the full extent of the breach is not clear, nor is it clear to what extent fraudsters will be able to capitalize on the leaked data to perpetrate fraud.
However, both financial institutions and consumers should be aware of the risk posed by account linking in this context, and should carefully monitor accounts for any sign of fraudulent transactions.
