← Back to incidents

Incident · Unknown

Affirm Holdings, Inc. · AFRM

FinancialsUSAIncident June 25, 2024Filed July 1, 2024
Impact score
Business continuity
Insurance involved
Not disclosed
Filing
8-K · 8.01

Breach taxonomy

UnknownData ExfilSupply ChainPersonal DataInfo Privacy Loss

Summary

On June 25, 2024, Affirm Holdings was notified by Evolve Bank & Trust that Evolve had experienced a cybersecurity incident in which a third party gained unauthorized access to personal and financial information of Evolve's retail banking customers and fintech partners. Because Affirm shares Affirm Card user personal information with Evolve to facilitate card issuance and servicing, Affirm Card users' personal information was believed to be compromised. Affirm's own systems were not compromised and Affirm Card holders could continue using their cards. Affirm launched an independent investigation and began notifying law enforcement and affected users. Filed under Item 8.01.

Tagging rationale

ThreatUnknown

Filing does not attribute the incident to a specific actor → UNKNOWN.

MethodsData ExfilSupply Chain

Data was exfiltrated from Evolve Bank (DATA-EXFIL), a third-party financial partner with whom Affirm shares customer data for card issuance → SUPPLY-CHAIN.

AssetsPersonal Data

Personal and financial information of Affirm Card users was compromised through the Evolve breach, including data shared by Affirm with Evolve for card servicing → PERSONAL-DATA.

EffectsInfo Privacy Loss

Affirm Card users' personal and financial information was compromised through the third-party breach → INFO-PRIVACY-LOSS.

Impact

Affirm Card user personal data compromised via Evolve Bank breach; Affirm's own systems not affected; card functionality uninterrupted; scope of Affirm exposure not fully quantified at filing → score 2.

InsuranceNot disclosed

Filing makes no mention of insurance → null.

Read the original SEC filing excerpt
Evolve notified the Company that Evolve had experienced a cybersecurity incident whereby a third party gained unauthorized access to personal information and financial information (Personal Information) of Evolve retail banking customers and the customers of its financial technology partners. Because the Company shares the Personal Information of Affirm Card users with Evolve to facilitate the issuance and servicing of Affirm Cards, the Company believes that the Personal Information of Affirm Card users was compromised as part of Evolve's cybersecurity incident. However, the Company's information systems were not compromised, nor was the ability for Affirm Card holders to continue using their Affirm Card. This incident has not impacted any other part of the Company's business or operations. Upon being notified of the Evolve cybersecurity incident, the Company immediately began an investigation independent of Evolve's investigation to determine whether any Affirm Card user Personal Information had been compromised, and that investigation, along with remediation efforts, is ongoing as of the date of this Current Report on Form 8-K.
View SEC filingBack to database

More in Financials

Unknown · March 23, 2026

Bitcoin Depot Inc.

On March 23, 2026, Bitcoin Depot discovered that an unauthorized party gained access to its IT systems and obtained control of credentials a

Unknown · March 2, 2026

Heritage Financial Corporation

On or about March 2, 2026, Heritage Financial Corporation detected unauthorized access to an internal file share server used by employees, w

Unknown · September 1, 2025

Prosper Marketplace, Inc.

On September 1, 2025, Prosper Marketplace identified that an unauthorized third party gained access to company systems containing proprietar

Unknown · August 14, 2025

BayFirst Financial Corp.

On August 14, 2025, BayFirst National Bank was notified of a cybersecurity incident at a third-party marketing services provider. On October