Breach taxonomy
Summary
On June 25, 2024, Affirm Holdings was notified by Evolve Bank & Trust that Evolve had experienced a cybersecurity incident in which a third party gained unauthorized access to personal and financial information of Evolve's retail banking customers and fintech partners. Because Affirm shares Affirm Card user personal information with Evolve to facilitate card issuance and servicing, Affirm Card users' personal information was believed to be compromised. Affirm's own systems were not compromised and Affirm Card holders could continue using their cards. Affirm launched an independent investigation and began notifying law enforcement and affected users. Filed under Item 8.01.
Tagging rationale
ThreatUnknown
Filing does not attribute the incident to a specific actor → UNKNOWN.
MethodsData ExfilSupply Chain
Data was exfiltrated from Evolve Bank (DATA-EXFIL), a third-party financial partner with whom Affirm shares customer data for card issuance → SUPPLY-CHAIN.