July 2, 2024 • 22 mins
Can a single phishing attack lead to the financial ruin of millions? Brace yourself as we uncover the catastrophic data breach at Evolve Bank, orchestrated by the infamous LockBit ransomware group. Maia and Sam dissect this digital disaster, where a simple phishing scam blew open the floodgates, exposing the personal identifiable information (PII) of millions of Americans on the dark web. This breach isn’t just a wake-up call; it's a seismic shock, revealing glaring loopholes in our current security measures. We commend Jason Mikula for his fearless reporting on this issue, even under the looming shadow of legal threats from Evolve Bank.
The breach at Evolve Bank has sent shockwaves through the fintech industry, triggering a wider trust crisis. Imagine the chaos when social security numbers and other unchangeable PII are compromised. Drawing from the notorious Equifax hack, we stress the urgent need for robust, multifaceted security measures. We discuss the ripple effects impacting services like instant payouts and buy-now-pay-later schemes and scrutinize Evolve's lackluster response compared to the proactive stance of industry leaders like Max Levchin of Affirm. Join us as we call for better handling of such existential threats to sustain consumer trust in fintech innovations.
Hosts: Sam Maule & Maia Bittner
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Sam Maule (00:00):
Hey everybody, welcome to another episode of
Artificially Intelligent.
I am one of your interns, SamMaule.
I am joined by Maia in thesunny West Coast.
I'm guessing, Maia, it lookssunny behind you.
How are you doing?
Maia Bittner (00:18):
Beautiful day today, welcome back.
Welcome back.
I'm excited to be jumping onand learning more things with
you today, Sam.
Sam Maule (00:25):
Yeah, I live in Florida everybody, so you never
know day to day what it'mexcited to be jumping on and
learning more things with youtoday, sam.
Yeah, I live in Floridaeverybody, so you never know day
to day what it's going to belike.
We're tracking this Cat 5hurricane.
It's just another day inFlorida, Maia, but we have the
equivalent of a Cat 5 hurricanehappening in the fintech
community.
How is that for a segue?
I am so proud of myself with ahurricane segue Because there's
(00:47):
this famous quote by Mr Lennonthat says there are decades when
nothing happens and there areweeks when decades happen.
And the past few weeks havefelt like decades in the fintech
community, Maia.
Maia Bittner (01:01):
You know, and none of it is good.
We have had no good news.
It's not like there's all kindsof news happening.
No, it's really only bad news,which I think is probably most
often the situation when peoplepull out that quote.
Sam Maule (01:27):
I mean, let's start with what's happening with this
incredible data breach that tookplace.
Initially, the news was thatLockBit, this ransomware group,
had hacked the Federal Reserveand had something like 33
terabytes of data, but whatwe've learned over this decade
of the past week or so is thatthis is Evolve Bank that had the
data breach and basically PIIdata is now sitting out in the
(01:49):
dark web for a ridiculous numberof people and it affects a
ridiculous number of fintechs.
I've basically been chugginganti-acid medicine, I think, for
the past week, every time Iread one of these reports.
Maia.
Maia Bittner (02:10):
Well, sam.
So first clarify some of thebasics for me on this.
When I hear right LockBit, theransomware group they release
the data on, I think, millionsof Americans, pii, social
security number, all that Basicquestion does that mean that
they asked Evolve for a ransomand Evolve did not pay up?
(02:30):
So this was the consequence, orwhat do we know about how this
situation played out?
I mean, of course, having thedata breach happen in the first
place is not ideal and that'swhat we want to prevent.
But do we know?
Sam Maule (02:41):
what happened right after.
I think it's still somewhathazy, but here's my
understanding is that Evolve diddetermine that they had a data
breach going back to May of thisyear.
The data breach was caused bytake a guess Maia.
How do you think this databreach started?
How does every data breachstart?
Maia Bittner (03:01):
So it depends on what decade we're talking about.
So it depends on what decadewe're talking about.
If it was the 90s, a databreach happened because somebody
left their laptop on the bus onthe way home to work.
If it's the 2000s, but yeah, Imean, uh, they could have been
spearfished yeah, in this caseit was clicking on a link.
Sam Maule (03:24):
Right, an employee clicked on a link.
Those wonderful phishingattacks that opened up the gates
, that allowed lock bit to getin um lock.
Maia Bittner (03:34):
It is interesting.
So, and back up a little bit,we've talked about this.
Um.
So an employee clicked on thelink terrible, totally.
Like everybody gets trained notto do that.
But how much freaking accessdid this employee have, you know
?
Like was this and was this theCEO?
Like it's not.
Like every lay person at a bankhas access to the PII for a
(03:58):
million.
And you know, a good system,besides having layers of
permissions and things like that, has a lot of rate limiting in
place, so that there are someemployees who are allowed to
look at the social securitynumber for any customer, but if
they look at more than like 100in an hour, right, you start to
shut that system down.
Sam Maule (04:18):
Yeah, I mean, it's unbelievable.
I mean the unfolding drama.
I guess one of the best placesis to follow Jason Mikula, who
we both know and love.
Maia Bittner (04:29):
Jason is the expert here.
Sam Maule (04:30):
Man.
He's done an incredible job ofreporting on this.
Yeah, on Twitter, so much sothat he's received a cease and
desist order from Evolve Bank.
Bless you, jason.
But yeah, I mean, it evenappears that they were able to
hack into a large volume oftheir internal emails.
Something like 9.9 gigabytes ofPST files, which is basically
(04:51):
Outlook data files are sittingout there.
Maia Bittner (04:53):
Why do they even have like don't?
I mean many companies rightsort of delete all their emails
every three months or six monthsor a year.
Right, it's like why was thereaccess to so many emails?
Sam Maule (05:05):
It is just it's amazing.
It's like why was there accessto so many emails?
It is just it's amazing.
I'll tell you what we need todo a show sometime just on
ransomware companies, because Iwent out and did a little bit of
reading about LockBit and it'sfascinating.
They're basically, you know howyou have banking as a service
and software as a service.
So LockBit is ransomware as aservice, so is a business.
Everybody, um, and and thisgroup is flipping really, really
(05:29):
good about good at it they'rethe world's most politic
ransomware.
Um, I guess firm, I don't knowa better way of saying it group.
Maia Bittner (05:36):
I guess it's a ball.
It is all about incentives,right, and the thing is we not
want nobody wants socialsecurity numbers released on the
dark web.
It's not good for anybody,right?
And I'm including LockBit.
Lockbit isn't profiting off ofhaving social security numbers
on the dark web.
Americans are obviously goingto get screwed from this, and so
(05:59):
that's what I'm saying.
This is really kind of theworst case scenario.
That's what I'm saying.
This is really kind of theworst case scenario.
Sam Maule (06:04):
Oh, it's horrible.
What's interesting is, again,we believe the hack occurred
toward the back end of May.
In the first week of May the USgovernment actually charged the
founders of Lockpit, which is aRussian national Shocker,
basically put a $10 millionbounty on their head.
So yeah, of all things right, Imean just we're talking weeks
(06:28):
before this hack even happened.
You know the US governmentbasically was going out for them
.
So I mean, again, like we saidat the beginning, there are just
some weeks where you're likeman, could we use a little good
news?
You know, just a little bit.
Maia Bittner (06:42):
Well, and Evolve so, really, honestly, a great
target for LockBit.
They're in this reallyinteresting vulnerable position,
right.
So my guess Evolve is a smallbank in the scheme of things,
right, if you compare it up toChase Bank of America, they are
a small bank.
They probably do not have thesame.
We know that they don't havesufficient security practices,
(07:03):
right.
They don't have the IT staffthat one of these bigger banks
has.
But on the flip side, evolvehas built their business as a
partner to fintech companies.
So Evolve is probably thenumber one biggest partner bank
that supports fintech programs.
They power a bunch of bankingas a service software platforms,
(07:23):
right.
So those are the.
Evolve is the bank behind abunch of software platforms,
including infamous Synapse.
That powers a bunch of otherprograms as well as just working
directly with really bigcompanies like Affirm and Stripe
.
Sam Maule (07:40):
Yeah, I mean Evolve.
I was just looking at it now.
I mean, you know, when we thinkof the big boys, evolve is
based out of Tennessee, if Iremember right.
You know this is sub $5 billionin assets when you talk about
total assets for the bank, so asmall bank, but a massive player
.
Maia Bittner (07:56):
Durban exempt.
Sam Maule (07:57):
Yeah, I mean massive player, though when it comes to
fintech, I mean the number ofcompanies that they service is I
mean you're talking.
Affirm Earning Marketta.
Lord Alloy Bond Branch.
Dave Melio, mercury Love.
Maia Bittner (08:16):
Mercury Mercury, I think Mercury previously, but
not currently.
Sam Maule (08:20):
Yeah, not currently, and I think that's a good point.
Maia Bittner (08:24):
Yeah, with Mercury , although I'm curious.
So if Mercury customers I meanpresumably if personal
information was hacked, evolvestill has all the personal
information from Mercurycustomers, even though they have
since switched off it, unless,as part of their switching, they
I mean I honestly I don't eventhink you can request that data
(08:47):
be deleted.
I think the banks need to keepthat data in order to comply
with regulations and for futurereporting, and so it stems the
damage.
It makes Mercury look good thatthey've moved off of Evolve.
Anyone who's signed up superrecently will not have been a
victim, but it seems like mostMercury customers are still
(09:10):
impacted by this, as well asanyone else who has moved off of
Evolve.
Sam Maule (09:15):
Did you get a chance to read the post by Supes over
at Sardine AI?
Nope, when he talked about this.
Maia Bittner (09:21):
What did he say?
Sam Maule (09:21):
It's fascinating.
He did a.
Supes went on a thread rantabout this a couple days ago.
So everyone doesn't know.
Supes is the founder of SardineAI, which is again in this.
You know the AML KYC space andfraud.
Very fascinating one becausehe's like you.
Please understand.
The second your social securitynumber is compromised.
(09:42):
It's compromised.
There's no tokenization aroundyour social security.
There's no way to go out andget a new SSN issued, right, or
an EIN.
I mean it's again.
We are in this day and age.
We talk about this in bankingall the time, but this extends
far beyond banking.
What we rely upon for PIA datais data that can't be changed
(10:09):
your date of birth, your social.
You know I mean, let's go backto the day right, your mother's
maiden name, your favorite hobby.
I guess you can change yourfavorite hobby.
You can't change your mother'smaiden name.
You're not changing your dateof birth, you're not changing
your social, you know.
I mean, just like you said,when that PII data is out there,
it's out there, I mean- there.
Maia Bittner (10:27):
I mean it's just game over.
I mean, honestly, it's likeafter after the um equifax hack,
a lot of that is out thereanyway.
Um, I think, frankly, this isnot the first time that we've
realized, like, look, we cannotdepend on social security number
, on knowing social securitynumber, as proof that somebody
is who they say they are and aproof of their identity.
(10:49):
Right, we got to step up it,like has to.
It's an arms race and it's gotto continue to be multifaceted.
I know other data that wasleaked that is a little bit less
sensitive, but the full 16digit card numbers referred to
as the pan.
I think a firm just confirmedthat their card product is
(11:13):
totally compromised.
That's kind of rough right.
There's a lot of protectionsbaked into cards.
People can get those reissued,but it's a huge pain in the ass.
A lot of settlement files, achfiles, I think, even people who
did not have an account atEvolve but who sent a transfer
(11:33):
to somebody who has an accountat Evolve.
Some of their information hasbeen compromised too.
Sam Maule (11:36):
That's what makes this interesting, because that's
where we've gotten in thegotten.
I don't think that's greatEnglish, everybody.
That's where we're at now, in2024, with FinTech.
That's part of the skin in thegame level that we're at,
because we're talking aboutbanking as a service, or blank
as a service.
(11:57):
There's multiple layers ofintegration, right, I mean, I'm,
I'm a bank, I am servicing, saythis, this, this payments
company, and then there's a kycvendor that sits out there and a
fraud vendor that's out thereand take your pick, and so the
spider webs of tracking thisback to figure out the impact is
(12:17):
the CSI for fintech and hackslike this.
That's a business model.
That's something I should havegone into.
But again, everybody, I likewhat Maia referenced when you
talked about Equifax.
That was back in 2017, the hackthat occurred there.
Maia Bittner (12:37):
Again.
This isn't new.
We already lost everybody'ssocial security number.
Let's be real.
Sam Maule (12:41):
It wasn't secret, amen, it wasn't secret, we it
wasn't secret.
Maia Bittner (12:45):
We lost it again.
Um, but this is I mean it'sreally far reaching my well one
of my biggest concerns.
I mean, sam, this is ourindustry, right?
You, you and I have kind of betour careers on FinTech and this
is a huge trust-breaking moment.
Um, equifax lost a lot of trustin the breach, but people can't
(13:08):
really decide whether they're apart of Equifax or whether
they're using it or not.
The credit bureaus do not havestrong consumer brands, right?
They are mostly, and so that wassort of a side A lot of this
consumer stuff.
I mean, dude, everybody whogets instant payouts from Uber I
(13:28):
think they might have beenaffected because Branch, the
payments provider there, waspowered by Evolve.
I mean FinTech, like all of thestuff that people love from
FinTech, which is those instantpayouts, right, which is
fee-free banking, which is allthat stuff that Stripe does,
which is buy nowfree banking,which is, um, all you know all
that stuff that stripe does,which is buy now, pay later from
(13:49):
a firm.
Like there's a ton of consumerdemand for this.
But this is kind of a bigtrust-breaking moment and I
gotta say I mean, ever thesocial security numbers were out
evolve as a small bank.
They don't have the it.
I can be a little bitunderstanding for some of the
stuff with the, with the hack,but the comms has been abysmal
(14:10):
people are getting emails, thetiming, the confusion.
It seems like nobody knowsexactly what happened.
Um, I am getting my phone isblowing up with text messages
from people saying, hey, I bankwith mercury.
Like am, is my money at risk?
Hey, like I have an Affirm card, what do I need?
Like nobody is on top of thisstuff and Evolve is way behind
(14:35):
the ball.
I mean, you kind of casuallymentioned the cease and desist
against Jason for reporting.
I feel like that shows how muchthey've sort of lost the thread
on this.
Sam Maule (14:46):
Yeah, I'm with you on that one.
Maia Bittner (14:47):
They're out of control it's interesting.
Sam Maule (14:51):
Yeah, I mean, and that was a Twitter thread that
was going on when Jason wastalking about this and he
literally mentioned somethingabout a firm and Max Levchin,
right out in the blue, repliedto Jason and said yeah, if
there's anything you can do togive me more information to help
with this, I give Max Levchinprops for that Right.
Get out in front of this Wisehas done that.
Maia Bittner (15:13):
Max has had great comms throughout this.
Sam Maule (15:16):
I'm a big everybody just so we can get past this.
I'm a Max Levchin fanboy, so Ilike Max.
Maia Bittner (15:22):
I think he's brilliant One of the PayPal
mafia.
Everybody Very good at what hedoes.
Sam Maule (15:27):
And proved that buy now, pay later was a real thing,
because everyone yeah.
Maia Bittner (15:31):
Through, like it feels like Max's, like force of
will.
Sam Maule (15:34):
Yeah, max, come on the show.
Come on, baby.
Would love to interview.
But yeah, I think he did afantastic job jumping in front
of this.
Wise has done the same thing.
You know, on the comms part, Ithink Mercury has done a good
job, mercury has been excellent,you know.
I kind of you know.
I think it evolved.
I think you positioned thiscorrectly when Equifax had this
(15:55):
you know, massive hack everyoneback in 2017, and they were
fined.
I think it was like $1.3billion, if I remember.
It was a chunk of change.
They had to pay out the door.
Equifax can survive that.
Evolve is not a large bank theyaren't and on top of this, they
had the whole Synapse debacle,which was also happening, this
(16:16):
whole reconciliation issue thatthey had.
They had the OCC come at themwith the.
You know they got nailed thereand then you know just not that
I think it was yesterday or theday before.
You know, now you've gotcongressmen more or less coming
after Evolve too.
You know it's been reported.
(16:37):
So some rough days in Tennessee, I think, right now.
Maia Bittner (16:42):
Rough days.
So we have.
So there's a couple ofweaknesses that have been
highlighted by recent events.
So one we've got like aconcentration risk in the
fintech ecosystem.
So many products were poweredby Evolve on the backend, that
then, right, with this one hack,it's taken down like a ton of
the fintech industry including.
(17:03):
Well, yeah, so that's one risk.
A second risk, you know, havingthese sponsor banks, since it's
so difficult to get a bankcharter and to be regulated, as
a bank in the US has had allthese interesting things.
So the sponsor banks don'treally have the end customer
relationship, and that's whatthe fintechs want.
They say, hey, we want to ownthe customer relationship and
(17:25):
all the communications with themand we just want to kind of
rent out your bank charter.
Well, we're in a weird assposition now where, like, even a
bunch of the startups that werebacked by Evolve have shut down
, right, so they don't evenexist anymore.
Their customers' information wasleaked in the Evolve hack.
Well, who's sending out theemails?
(17:46):
Who's sending out thenotification?
Is it Evolve, this company thatthey may not have even heard of
before?
Right, it's got that smallprint at the bottom you signed
up for a Glorify account andthere's this tiny print that are
like banking services providedby Evolve, na, like whatever the
whole thing, and then you getan email from them out of the
blue.
So I feel like the customercomms piece has just been done
(18:08):
really poorly, both because wehave like a little bit of
incompetence, but also just as astructural weakness like this
is the way that the fintechecosystem is structured.
It's a lot of benefits toseparating out the customer
relationship to be owned by thefintech, but this is we're kind
of seeing one of the weaknessestoo, particularly if the fintech
is shorter lived than the bank,which is going to be the case.
(18:30):
It's almost by design thatbanks are pretty hard to fail in
the US.
Sam Maule (18:34):
Yeah, I think there's a great quote in paymentscom
today.
It was from Thread CEO, jimMcCarthy.
Thread being T-H-R-E-D-D.
Welcome to FinTech.
There's so many companies namedthe same thing, but this is a
good quote.
He said the regulators are nowawake.
Too many people are focused onthe as a service part but have
minored in the banking part ofit all.
(18:56):
If you're going to play in thatspace, I'd argue that if you
fail at the banking part, theservice piece doesn't even
matter.
Yeah, yeah, 100%.
There's a lot Like what WadeArnold, the founder of Move
Railwork, says there's a lot offin in fintech, but there needs
to be a bit more.
You know, what I find reallyinteresting about this is way
(19:17):
back in the day, when I was onsubs bouncing around under the
ocean, we had what we calledcasualty operating procedures.
They were cops, Maia, and therewere these 13 manuals that
basically addressed every singlesituation that would take our
guidance system down and notallow us to launch nuclear
missiles.
(19:38):
And they were step-by-stepmanuals that, by the way, as the
navigation supervisor where Iworked, I had to have them
memorized.
I had 13 manuals.
I knew every step, every step,and we practiced.
We did drills.
Practice just didn't sound likethe military.
We drilled on them over andover again.
(19:59):
We'd do them in the dark.
We'd do them with our air maskon.
We would do them while divingdeep.
We'd do them with our air maskon.
We would do them while divingdeep.
We'd do them while doing anemergency surface.
We would go through everyscenario and they would
constantly get updated becausewe'd think of another terrible
thing that could happen, becauseessentially, we could end the
world.
That was, the job of thesubmarine was to launch nuclear
missiles, you wonder.
(20:22):
Dude, it doesn't look to me likeEvolve that I'm just gonna say
it might be good, everybody yeahcritical large data leak.
Maia Bittner (20:30):
What do we do?
What's step one?
Sam Maule (20:33):
yep, yep, yep, because right now you've got
about five or six differentthings hitting all at the same
time.
I get it, I understand, I feelyour pain, but man, everybody,
um, let's do better.
Maia Bittner (20:45):
Their leadership team is going to get some ulcers
.
Sam Maule (20:48):
Yeah, I'll say this, Maia, and this even ties back to
the Synapse debacle that wasgoing on.
When you read, we have toremember, at the end of the day,
we're servicing real people,whether they're small businesses
or individuals, consumers whocan't access the money they put
into synapse, you know, and say,hey, I'm out $30,000.
I'm actually suicidal, Ibelieve that was one of the
(21:09):
letters.
Maia Bittner (21:09):
I mean it's unacceptable.
Sam Maule (21:10):
That's at the end of the day.
We have a fiduciary and ethicalresponsibility.
I'm preaching everybody, but Idon't care.
Maia Bittner (21:17):
We have a fiduciary and ethical
responsibility to do better toremember who we're servicing
Ethical and, frankly, regulatoryresponsibility to do better, to
remember who we're servicing.
Ethical and, frankly,regulatory responsibility yes
give people access to theirfunds.
Sam Maule (21:30):
So everybody, let's do better.
Okay, how's that?
Maia Bittner (21:32):
let's do better let's wrap this up I know we're
in the middle of this, we don'teven know all the consequences
exactly, yet still unfolding butexcited to keep an eye on it.
Hopefully it doesn't take downthe whole industry.
Hey, that would be nice.
Sam Maule (21:46):
Please don't I like working here everybody.
Hey, go out and read JasonMalika's.
Oh, jason, come on, mikula,sorry, jason, I keep trying.
Great Twitter feed.
There's others that arereporting.
Great, a lot of reporting goingon right now.
The story is unfolding, evensome of the things that we
(22:07):
talked about we're going to getmore clarity on.
But again, everybody, let'sjust do better.
Hey, thanks for listening.
Really, we really do appreciateit.
We love this space.
Like I said, Maia and I justkeep learning, right, Maia?
I mean, every week somethingnew comes up.
It's fascinating.
Maia Bittner (22:24):
You know it's fun when there's so much drama.
Sam Maule (22:28):
Yeah, drama Drama's fun as long as it's not your
drama or mine.
Hey everybody, have a greatweek.
Maia Bittner (22:34):
So thanks so much for listening to another episode
of Artificially Intelligentpart of the Money 2020 Network.
We will see you next week.
Hey everybody, welcome to another episode of
Artificially Intelligent.
I am one of your interns, SamMaule.
I am joined by Maia in thesunny West Coast.
I'm guessing, Maia, it lookssunny behind you.
How are you doing?
Maia Bittner (00:18):
Beautiful day today, welcome back.
Welcome back.
I'm excited to be jumping onand learning more things with
you today, Sam.
Sam Maule (00:25):
Yeah, I live in Florida everybody, so you never
know day to day what it'mexcited to be jumping on and
learning more things with youtoday, sam.
Yeah, I live in Floridaeverybody, so you never know day
to day what it's going to belike.
We're tracking this Cat 5hurricane.
It's just another day inFlorida, Maia, but we have the
equivalent of a Cat 5 hurricanehappening in the fintech
community.
How is that for a segue?
I am so proud of myself with ahurricane segue Because there's
(00:47):
this famous quote by Mr Lennonthat says there are decades when
nothing happens and there areweeks when decades happen.
And the past few weeks havefelt like decades in the fintech
community, Maia.
Maia Bittner (01:01):
You know, and none of it is good.
We have had no good news.
It's not like there's all kindsof news happening.
No, it's really only bad news,which I think is probably most
often the situation when peoplepull out that quote.
Sam Maule (01:27):
I mean, let's start with what's happening with this
incredible data breach that tookplace.
Initially, the news was thatLockBit, this ransomware group,
had hacked the Federal Reserveand had something like 33
terabytes of data, but whatwe've learned over this decade
of the past week or so is thatthis is Evolve Bank that had the
data breach and basically PIIdata is now sitting out in the
(01:49):
dark web for a ridiculous numberof people and it affects a
ridiculous number of fintechs.
I've basically been chugginganti-acid medicine, I think, for
the past week, every time Iread one of these reports.
Maia.
Maia Bittner (02:10):
Well, sam.
So first clarify some of thebasics for me on this.
When I hear right LockBit, theransomware group they release
the data on, I think, millionsof Americans, pii, social
security number, all that Basicquestion does that mean that
they asked Evolve for a ransomand Evolve did not pay up?
(02:30):
So this was the consequence, orwhat do we know about how this
situation played out?
I mean, of course, having thedata breach happen in the first
place is not ideal and that'swhat we want to prevent.
But do we know?
Sam Maule (02:41):
what happened right after.
I think it's still somewhathazy, but here's my
understanding is that Evolve diddetermine that they had a data
breach going back to May of thisyear.
The data breach was caused bytake a guess Maia.
How do you think this databreach started?
How does every data breachstart?
Maia Bittner (03:01):
So it depends on what decade we're talking about.
So it depends on what decadewe're talking about.
If it was the 90s, a databreach happened because somebody
left their laptop on the bus onthe way home to work.
If it's the 2000s, but yeah, Imean, uh, they could have been
spearfished yeah, in this caseit was clicking on a link.
Sam Maule (03:24):
Right, an employee clicked on a link.
Those wonderful phishingattacks that opened up the gates
, that allowed lock bit to getin um lock.
Maia Bittner (03:34):
It is interesting.
So, and back up a little bit,we've talked about this.
Um.
So an employee clicked on thelink terrible, totally.
Like everybody gets trained notto do that.
But how much freaking accessdid this employee have, you know
?
Like was this and was this theCEO?
Like it's not.
Like every lay person at a bankhas access to the PII for a
(03:58):
million.
And you know, a good system,besides having layers of
permissions and things like that, has a lot of rate limiting in
place, so that there are someemployees who are allowed to
look at the social securitynumber for any customer, but if
they look at more than like 100in an hour, right, you start to
shut that system down.
Sam Maule (04:18):
Yeah, I mean, it's unbelievable.
I mean the unfolding drama.
I guess one of the best placesis to follow Jason Mikula, who
we both know and love.
Maia Bittner (04:29):
Jason is the expert here.
Sam Maule (04:30):
Man.
He's done an incredible job ofreporting on this.
Yeah, on Twitter, so much sothat he's received a cease and
desist order from Evolve Bank.
Bless you, jason.
But yeah, I mean, it evenappears that they were able to
hack into a large volume oftheir internal emails.
Something like 9.9 gigabytes ofPST files, which is basically
(04:51):
Outlook data files are sittingout there.
Maia Bittner (04:53):
Why do they even have like don't?
I mean many companies rightsort of delete all their emails
every three months or six monthsor a year.
Right, it's like why was thereaccess to so many emails?
Sam Maule (05:05):
It is just it's amazing.
It's like why was there accessto so many emails?
It is just it's amazing.
I'll tell you what we need todo a show sometime just on
ransomware companies, because Iwent out and did a little bit of
reading about LockBit and it'sfascinating.
They're basically, you know howyou have banking as a service
and software as a service.
So LockBit is ransomware as aservice, so is a business.
Everybody, um, and and thisgroup is flipping really, really
(05:29):
good about good at it they'rethe world's most politic
ransomware.
Um, I guess firm, I don't knowa better way of saying it group.
Maia Bittner (05:36):
I guess it's a ball.
It is all about incentives,right, and the thing is we not
want nobody wants socialsecurity numbers released on the
dark web.
It's not good for anybody,right?
And I'm including LockBit.
Lockbit isn't profiting off ofhaving social security numbers
on the dark web.
Americans are obviously goingto get screwed from this, and so
(05:59):
that's what I'm saying.
This is really kind of theworst case scenario.
That's what I'm saying.
This is really kind of theworst case scenario.
Sam Maule (06:04):
Oh, it's horrible.
What's interesting is, again,we believe the hack occurred
toward the back end of May.
In the first week of May the USgovernment actually charged the
founders of Lockpit, which is aRussian national Shocker,
basically put a $10 millionbounty on their head.
So yeah, of all things right, Imean just we're talking weeks
(06:28):
before this hack even happened.
You know the US governmentbasically was going out for them
.
So I mean, again, like we saidat the beginning, there are just
some weeks where you're likeman, could we use a little good
news?
You know, just a little bit.
Maia Bittner (06:42):
Well, and Evolve so, really, honestly, a great
target for LockBit.
They're in this reallyinteresting vulnerable position,
right.
So my guess Evolve is a smallbank in the scheme of things,
right, if you compare it up toChase Bank of America, they are
a small bank.
They probably do not have thesame.
We know that they don't havesufficient security practices,
(07:03):
right.
They don't have the IT staffthat one of these bigger banks
has.
But on the flip side, evolvehas built their business as a
partner to fintech companies.
So Evolve is probably thenumber one biggest partner bank
that supports fintech programs.
They power a bunch of bankingas a service software platforms,
(07:23):
right.
So those are the.
Evolve is the bank behind abunch of software platforms,
including infamous Synapse.
That powers a bunch of otherprograms as well as just working
directly with really bigcompanies like Affirm and Stripe
.
Sam Maule (07:40):
Yeah, I mean Evolve.
I was just looking at it now.
I mean, you know, when we thinkof the big boys, evolve is
based out of Tennessee, if Iremember right.
You know this is sub $5 billionin assets when you talk about
total assets for the bank, so asmall bank, but a massive player
.
Maia Bittner (07:56):
Durban exempt.
Sam Maule (07:57):
Yeah, I mean massive player, though when it comes to
fintech, I mean the number ofcompanies that they service is I
mean you're talking.
Affirm Earning Marketta.
Lord Alloy Bond Branch.
Dave Melio, mercury Love.
Maia Bittner (08:16):
Mercury Mercury, I think Mercury previously, but
not currently.
Sam Maule (08:20):
Yeah, not currently, and I think that's a good point.
Maia Bittner (08:24):
Yeah, with Mercury , although I'm curious.
So if Mercury customers I meanpresumably if personal
information was hacked, evolvestill has all the personal
information from Mercurycustomers, even though they have
since switched off it, unless,as part of their switching, they
I mean I honestly I don't eventhink you can request that data
(08:47):
be deleted.
I think the banks need to keepthat data in order to comply
with regulations and for futurereporting, and so it stems the
damage.
It makes Mercury look good thatthey've moved off of Evolve.
Anyone who's signed up superrecently will not have been a
victim, but it seems like mostMercury customers are still
(09:10):
impacted by this, as well asanyone else who has moved off of
Evolve.
Sam Maule (09:15):
Did you get a chance to read the post by Supes over
at Sardine AI?
Nope, when he talked about this.
Maia Bittner (09:21):
What did he say?
Sam Maule (09:21):
It's fascinating.
He did a.
Supes went on a thread rantabout this a couple days ago.
So everyone doesn't know.
Supes is the founder of SardineAI, which is again in this.
You know the AML KYC space andfraud.
Very fascinating one becausehe's like you.
Please understand.
The second your social securitynumber is compromised.
(09:42):
It's compromised.
There's no tokenization aroundyour social security.
There's no way to go out andget a new SSN issued, right, or
an EIN.
I mean it's again.
We are in this day and age.
We talk about this in bankingall the time, but this extends
far beyond banking.
What we rely upon for PIA datais data that can't be changed
(10:09):
your date of birth, your social.
You know I mean, let's go backto the day right, your mother's
maiden name, your favorite hobby.
I guess you can change yourfavorite hobby.
You can't change your mother'smaiden name.
You're not changing your dateof birth, you're not changing
your social, you know.
I mean, just like you said,when that PII data is out there,
it's out there, I mean- there.
Maia Bittner (10:27):
I mean it's just game over.
I mean, honestly, it's likeafter after the um equifax hack,
a lot of that is out thereanyway.
Um, I think, frankly, this isnot the first time that we've
realized, like, look, we cannotdepend on social security number
, on knowing social securitynumber, as proof that somebody
is who they say they are and aproof of their identity.
(10:49):
Right, we got to step up it,like has to.
It's an arms race and it's gotto continue to be multifaceted.
I know other data that wasleaked that is a little bit less
sensitive, but the full 16digit card numbers referred to
as the pan.
I think a firm just confirmedthat their card product is
(11:13):
totally compromised.
That's kind of rough right.
There's a lot of protectionsbaked into cards.
People can get those reissued,but it's a huge pain in the ass.
A lot of settlement files, achfiles, I think, even people who
did not have an account atEvolve but who sent a transfer
(11:33):
to somebody who has an accountat Evolve.
Some of their information hasbeen compromised too.
Sam Maule (11:36):
That's what makes this interesting, because that's
where we've gotten in thegotten.
I don't think that's greatEnglish, everybody.
That's where we're at now, in2024, with FinTech.
That's part of the skin in thegame level that we're at,
because we're talking aboutbanking as a service, or blank
as a service.
(11:57):
There's multiple layers ofintegration, right, I mean, I'm,
I'm a bank, I am servicing, saythis, this, this payments
company, and then there's a kycvendor that sits out there and a
fraud vendor that's out thereand take your pick, and so the
spider webs of tracking thisback to figure out the impact is
(12:17):
the CSI for fintech and hackslike this.
That's a business model.
That's something I should havegone into.
But again, everybody, I likewhat Maia referenced when you
talked about Equifax.
That was back in 2017, the hackthat occurred there.
Maia Bittner (12:37):
Again.
This isn't new.
We already lost everybody'ssocial security number.
Let's be real.
Sam Maule (12:41):
It wasn't secret, amen, it wasn't secret, we it
wasn't secret.
Maia Bittner (12:45):
We lost it again.
Um, but this is I mean it'sreally far reaching my well one
of my biggest concerns.
I mean, sam, this is ourindustry, right?
You, you and I have kind of betour careers on FinTech and this
is a huge trust-breaking moment.
Um, equifax lost a lot of trustin the breach, but people can't
(13:08):
really decide whether they're apart of Equifax or whether
they're using it or not.
The credit bureaus do not havestrong consumer brands, right?
They are mostly, and so that wassort of a side A lot of this
consumer stuff.
I mean, dude, everybody whogets instant payouts from Uber I
(13:28):
think they might have beenaffected because Branch, the
payments provider there, waspowered by Evolve.
I mean FinTech, like all of thestuff that people love from
FinTech, which is those instantpayouts, right, which is
fee-free banking, which is allthat stuff that Stripe does,
which is buy nowfree banking,which is, um, all you know all
that stuff that stripe does,which is buy now, pay later from
(13:49):
a firm.
Like there's a ton of consumerdemand for this.
But this is kind of a bigtrust-breaking moment and I
gotta say I mean, ever thesocial security numbers were out
evolve as a small bank.
They don't have the it.
I can be a little bitunderstanding for some of the
stuff with the, with the hack,but the comms has been abysmal
(14:10):
people are getting emails, thetiming, the confusion.
It seems like nobody knowsexactly what happened.
Um, I am getting my phone isblowing up with text messages
from people saying, hey, I bankwith mercury.
Like am, is my money at risk?
Hey, like I have an Affirm card, what do I need?
Like nobody is on top of thisstuff and Evolve is way behind
(14:35):
the ball.
I mean, you kind of casuallymentioned the cease and desist
against Jason for reporting.
I feel like that shows how muchthey've sort of lost the thread
on this.
Sam Maule (14:46):
Yeah, I'm with you on that one.
Maia Bittner (14:47):
They're out of control it's interesting.
Sam Maule (14:51):
Yeah, I mean, and that was a Twitter thread that
was going on when Jason wastalking about this and he
literally mentioned somethingabout a firm and Max Levchin,
right out in the blue, repliedto Jason and said yeah, if
there's anything you can do togive me more information to help
with this, I give Max Levchinprops for that Right.
Get out in front of this Wisehas done that.
Maia Bittner (15:13):
Max has had great comms throughout this.
Sam Maule (15:16):
I'm a big everybody just so we can get past this.
I'm a Max Levchin fanboy, so Ilike Max.
Maia Bittner (15:22):
I think he's brilliant One of the PayPal
mafia.
Everybody Very good at what hedoes.
Sam Maule (15:27):
And proved that buy now, pay later was a real thing,
because everyone yeah.
Maia Bittner (15:31):
Through, like it feels like Max's, like force of
will.
Sam Maule (15:34):
Yeah, max, come on the show.
Come on, baby.
Would love to interview.
But yeah, I think he did afantastic job jumping in front
of this.
Wise has done the same thing.
You know, on the comms part, Ithink Mercury has done a good
job, mercury has been excellent,you know.
I kind of you know.
I think it evolved.
I think you positioned thiscorrectly when Equifax had this
(15:55):
you know, massive hack everyoneback in 2017, and they were
fined.
I think it was like $1.3billion, if I remember.
It was a chunk of change.
They had to pay out the door.
Equifax can survive that.
Evolve is not a large bank theyaren't and on top of this, they
had the whole Synapse debacle,which was also happening, this
(16:16):
whole reconciliation issue thatthey had.
They had the OCC come at themwith the.
You know they got nailed thereand then you know just not that
I think it was yesterday or theday before.
You know, now you've gotcongressmen more or less coming
after Evolve too.
You know it's been reported.
(16:37):
So some rough days in Tennessee, I think, right now.
Maia Bittner (16:42):
Rough days.
So we have.
So there's a couple ofweaknesses that have been
highlighted by recent events.
So one we've got like aconcentration risk in the
fintech ecosystem.
So many products were poweredby Evolve on the backend, that
then, right, with this one hack,it's taken down like a ton of
the fintech industry including.
(17:03):
Well, yeah, so that's one risk.
A second risk, you know, havingthese sponsor banks, since it's
so difficult to get a bankcharter and to be regulated, as
a bank in the US has had allthese interesting things.
So the sponsor banks don'treally have the end customer
relationship, and that's whatthe fintechs want.
They say, hey, we want to ownthe customer relationship and
(17:25):
all the communications with themand we just want to kind of
rent out your bank charter.
Well, we're in a weird assposition now where, like, even a
bunch of the startups that werebacked by Evolve have shut down
, right, so they don't evenexist anymore.
Their customers' information wasleaked in the Evolve hack.
Well, who's sending out theemails?
(17:46):
Who's sending out thenotification?
Is it Evolve, this company thatthey may not have even heard of
before?
Right, it's got that smallprint at the bottom you signed
up for a Glorify account andthere's this tiny print that are
like banking services providedby Evolve, na, like whatever the
whole thing, and then you getan email from them out of the
blue.
So I feel like the customercomms piece has just been done
(18:08):
really poorly, both because wehave like a little bit of
incompetence, but also just as astructural weakness like this
is the way that the fintechecosystem is structured.
It's a lot of benefits toseparating out the customer
relationship to be owned by thefintech, but this is we're kind
of seeing one of the weaknessestoo, particularly if the fintech
is shorter lived than the bank,which is going to be the case.
(18:30):
It's almost by design thatbanks are pretty hard to fail in
the US.
Sam Maule (18:34):
Yeah, I think there's a great quote in paymentscom
today.
It was from Thread CEO, jimMcCarthy.
Thread being T-H-R-E-D-D.
Welcome to FinTech.
There's so many companies namedthe same thing, but this is a
good quote.
He said the regulators are nowawake.
Too many people are focused onthe as a service part but have
minored in the banking part ofit all.
(18:56):
If you're going to play in thatspace, I'd argue that if you
fail at the banking part, theservice piece doesn't even
matter.
Yeah, yeah, 100%.
There's a lot Like what WadeArnold, the founder of Move
Railwork, says there's a lot offin in fintech, but there needs
to be a bit more.
You know, what I find reallyinteresting about this is way
(19:17):
back in the day, when I was onsubs bouncing around under the
ocean, we had what we calledcasualty operating procedures.
They were cops, Maia, and therewere these 13 manuals that
basically addressed every singlesituation that would take our
guidance system down and notallow us to launch nuclear
missiles.
(19:38):
And they were step-by-stepmanuals that, by the way, as the
navigation supervisor where Iworked, I had to have them
memorized.
I had 13 manuals.
I knew every step, every step,and we practiced.
We did drills.
Practice just didn't sound likethe military.
We drilled on them over andover again.
(19:59):
We'd do them in the dark.
We'd do them with our air maskon.
We would do them while divingdeep.
We'd do them with our air maskon.
We would do them while divingdeep.
We'd do them while doing anemergency surface.
We would go through everyscenario and they would
constantly get updated becausewe'd think of another terrible
thing that could happen, becauseessentially, we could end the
world.
That was, the job of thesubmarine was to launch nuclear
missiles, you wonder.
(20:22):
Dude, it doesn't look to me likeEvolve that I'm just gonna say
it might be good, everybody yeahcritical large data leak.
Maia Bittner (20:30):
What do we do?
What's step one?
Sam Maule (20:33):
yep, yep, yep, because right now you've got
about five or six differentthings hitting all at the same
time.
I get it, I understand, I feelyour pain, but man, everybody,
um, let's do better.
Maia Bittner (20:45):
Their leadership team is going to get some ulcers
.
Sam Maule (20:48):
Yeah, I'll say this, Maia, and this even ties back to
the Synapse debacle that wasgoing on.
When you read, we have toremember, at the end of the day,
we're servicing real people,whether they're small businesses
or individuals, consumers whocan't access the money they put
into synapse, you know, and say,hey, I'm out $30,000.
I'm actually suicidal, Ibelieve that was one of the
(21:09):
letters.
Maia Bittner (21:09):
I mean it's unacceptable.
Sam Maule (21:10):
That's at the end of the day.
We have a fiduciary and ethicalresponsibility.
I'm preaching everybody, but Idon't care.
Maia Bittner (21:17):
We have a fiduciary and ethical
responsibility to do better toremember who we're servicing
Ethical and, frankly, regulatoryresponsibility to do better, to
remember who we're servicing.
Ethical and, frankly,regulatory responsibility yes
give people access to theirfunds.
Sam Maule (21:30):
So everybody, let's do better.
Okay, how's that?
Maia Bittner (21:32):
let's do better let's wrap this up I know we're
in the middle of this, we don'teven know all the consequences
exactly, yet still unfolding butexcited to keep an eye on it.
Hopefully it doesn't take downthe whole industry.
Hey, that would be nice.
Sam Maule (21:46):
Please don't I like working here everybody.
Hey, go out and read JasonMalika's.
Oh, jason, come on, mikula,sorry, jason, I keep trying.
Great Twitter feed.
There's others that arereporting.
Great, a lot of reporting goingon right now.
The story is unfolding, evensome of the things that we
(22:07):
talked about we're going to getmore clarity on.
But again, everybody, let'sjust do better.
Hey, thanks for listening.
Really, we really do appreciateit.
We love this space.
Like I said, Maia and I justkeep learning, right, Maia?
I mean, every week somethingnew comes up.
It's fascinating.
Maia Bittner (22:24):
You know it's fun when there's so much drama.
Sam Maule (22:28):
Yeah, drama Drama's fun as long as it's not your
drama or mine.
Hey everybody, have a greatweek.
Maia Bittner (22:34):
So thanks so much for listening to another episode
of Artificially Intelligentpart of the Money 2020 Network.
We will see you next week.
Popular Podcasts
Bookmarked by Reese's Book Club
Welcome to Bookmarked by Reese’s Book Club — the podcast where great stories, bold women, and irresistible conversations collide! Hosted by award-winning journalist Danielle Robay, each week new episodes balance thoughtful literary insight with the fervor of buzzy book trends, pop culture and more. Bookmarked brings together celebrities, tastemakers, influencers and authors from Reese's Book Club and beyond to share stories that transcend the page. Pull up a chair. You’re not just listening — you’re part of the conversation.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!