Law.com reports that in a growing trend of cybersecurity incidents affecting financial technology companies, Affirm, a prominent buy-now-pay-later (BNPL) platform, has been hit with a class action lawsuit following a data breach involving its banking partner, Evolve Bank & Trust. The breach, allegedly carried out by a well-known cybercriminal group, has compromised sensitive user data, sparking legal action and raising questions about the fintech company’s security practices.
The Cyberattack and Data Breach
The breach, confirmed by Evolve on June 25, involved a ransomware attack by the LockBit group, a notorious russian cybercriminal organization. This attack resulted in the exposure of sensitive client data, which was subsequently published on the dark web. Evolve acknowledged that it became aware of unauthorized activity within its systems in late May and began notifying affected individuals by early July.
The breach exposed personal information, including names, Social Security numbers, dates of birth, and account details. This data potentially puts hundreds of thousands of users at risk of identity theft and fraud.
The Class Action Lawsuit Against Affirm
The class action, filed by the law firm Morgan & Morgan in the U.S. District Court for the Northern District of California, accuses Affirm of failing to protect its users’ personal information. The complaint alleges that Affirm did not properly vet Evolve’s compliance with state and federal data security standards before partnering with the bank. Furthermore, it claims that Affirm did not adhere to Federal Trade Commission (FTC) guidelines on cybersecurity and failed to promptly notify affected users after the breach occurred.
The lawsuit highlights the severity of the breach, arguing that Affirm’s offer of 24 months of identity monitoring services is insufficient given the long-lasting nature of stolen data. Plaintiffs are seeking compensation to cover lifetime identity theft protection services for the affected users.
Evolve’s History of Regulatory Issues
This data breach comes on the heels of regulatory scrutiny for Evolve. Less than two weeks before the breach was confirmed, the Federal Reserve, in collaboration with the Arkansas State Bank Department, issued an enforcement action against Evolve. The action cited deficiencies in the bank’s anti-money laundering practices, risk management, and consumer compliance programs. According to regulatory examinations, Evolve had engaged in “unsafe and unsound” banking practices, particularly in its partnerships with fintech companies like Affirm.
Broader Impact on the Fintech Industry
The breach at Evolve did not only affect Affirm. Other fintech companies, including Branch, EarnIn, Marqueta, Melio, Mercury, Yieldstreet, and Wise, were also reportedly impacted. This incident underscores the broader vulnerabilities within the fintech sector, where partnerships between traditional banks and tech startups are increasingly common.
The lawsuit against Affirm emphasizes the responsibility that fintech companies have to ensure their partners maintain robust security measures. As a leader in the BNPL space, Affirm is expected to carefully select financial partners and ensure that these partners have the necessary infrastructure to protect customer data. The legal action alleges that Affirm fell short of these expectations, leaving its users vulnerable to cyberattacks.
Legal and Consumer Implications
Morgan & Morgan attorney Ron Podolny, representing the plaintiffs, emphasized the gravity of the situation. He stated that Affirm not only failed to secure customer data but also did not provide adequate information about the breach, limiting users’ ability to protect themselves. As a result, many individuals who trusted Affirm now face the risk of identity theft.
The class action seeks to hold Affirm and other responsible parties accountable for their alleged negligence. With the fintech industry continuing to grow, this case serves as a reminder of the importance of stringent cybersecurity measures and transparent communication with consumers in the aftermath of a breach.
Conclusion
As cyberattacks become more sophisticated and frequent, the financial technology sector must prioritize security and risk management. The class action lawsuit against Affirm is a stark reminder of the potential consequences when these protections fall short. As the case unfolds, it will likely serve as a benchmark for how fintech companies and their partners manage cybersecurity risks in the future.