More than 50,000 Revolut customers impacted by data breach

• 

TechCrunch reported on Wednesday that Fintech startup Revolut, a British financial technology company, has confirmed it was hit by a highly targeted cyberattack that allowed hackers to access the personal details of tens of thousands of customers.

Head of Corporate Communications at Revolut Michael Bodansky told TechCrunch that an “unauthorized third party obtained access to the details of a small percentage (0.16%) of our customers for a short period of time.” Company technicians detected the attack late on September 11 and contained it by the following morning.

“We immediately identified and isolated the attack to effectively limit its impact and have contacted those customers affected,” Bodansky said. “Customers who have not received an email have not been impacted.”

Although no funds were accessed or stolen in the attack, Revolut declined to say what types of data were accessed. In a message sent to affected customers, the company said “no card details, PINs or passwords were accessed.” However, the breach disclosure states that hackers likely accessed partial card payment data, along with customers’ names, addresses, email addresses, and phone numbers.

The disclosure further added that the attacker used social engineering methods to gain access to the customer database, which could only have been done by persuading an employee to hand over sensitive data. This has become a popular tactic in recent attacks against a number of well-known companies, including Twilio, Mailchimp, and Okta.

The company did not disclose exactly how many customers were affected. Its website says the company has approximately 20 million customers; 0.16% would translate to about 32,000 customers. However, according to Revolut’s breach disclosure to the authorities in Lithuania, in which the company happens to have a banking license, Revolut says 50,150 customers were impacted by the breach, including 20,687 customers in the European Economic Area and 379 Lithuanian citizens.

Revolut warned that the breach appears triggered a phishing campaign and urged customers to be careful when receiving any communication regarding the breach. The startup advised customers that it will not call or send SMS messages asking for login data or access codes.

The company recently formed a new team tasked with monitoring accounts to safeguard both money and customer data.

“We take incidents such as these incredibly seriously, and we would like to sincerely apologize to any customers who have been affected by this incident as the safety of our customers and their data is our top priority at Revolut,” Bodansky added.

Last year, Revolut raised $800 million in fresh capital, valuing the startup at more than $33 billion.

Read more: 'Israel' offers Albania assistance against alleged cyber attacks