Revolut hack exposes personal data of tens of thousands of users

21 Sep 2022

Image: © vejaa/Stock.adobe.com

The fintech said that 0.16pc of its global customers were affected by a data breach.

Revolut has confirmed it suffered a data breach that impacted tens of thousands of its customers.

The fintech told SiliconRepublic.com that it detected and contained the incident “within hours” and has informed both regulators and impacted customers.

Revolut group data protection officer Claire Coleman said that 0.16pc of the company’s global customers were impacted. She added that “enhanced controls and support” are in place for those affected.

“Cyberattacks are one of the unfortunate realities of doing business today,” Coleman told SiliconRepublic.com. “Revolut has taken all appropriate steps and customers who have not heard from us are not affected.”

Revolut’s website says it has more than 20m customers worldwide, which would imply that more than 32,000 people may have data exposed by the breach.

However, Revolut also notified authorities in Lithuania – where it has a banking licence – about the data breach. A statement from the country’s State Data Protection Inspectorate, first shared by BleepingComputer, says that 50,150 customers could be impacted worldwide, including 20,687 in the European Economic Area.

This breach disclosure notes that the hackers could have accessed the names, addresses, e-mail addresses, telephone numbers and partial card payment details of affected users.

An email Revolut sent to affected customers was shared on Reddit. This email said no card details, PINs or passwords were accessed by the hacker, but the compromised data varies for different customers.

“Although your money is safe, you may be at increased risk of fraud,” the email says. “We recommend that you be especially vigilant for any suspicious activity, including suspicious emails, phone calls or messages.”

The Lithuanian breach disclosure says that social engineering techniques were used by the hacker to access Revolut’s database. These type of techniques – such as phishing attacks – are a common tactic by cybercriminals to break the defences of companies.

The recent Twilio data breach happened after employees were tricked into sharing their login credentials. The hackers behind the breach appear to be conducting an “unprecedented” phishing campaign, compromising more than 130 organisations, according to a report by cybersecurity company Group-IB last month.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com