British fintech company Revolut has confirmed it was the victim of a “highly targeted cyberattack” that resulted in the perpetrator gaining access to tens of thousands of users’ personal data.
A spokesperson from Revolut told UKTN that an “unauthorised third party” obtained access to the data of 32,000 customers, which translates to 0.16% of its customer base, “for a short period of time”.
In total just over 50,000 users had their data compromised, but some 18,000 of those were people that had registered for a Revolut account but had not completed the sign-up process.
Compromised customer data included names, email addresses, date of birth, phone numbers and mobile device type, the spokesperson told UKTN. No payment details or passwords were accessed, Revolut said.
“We immediately identified and isolated the attack to effectively limit its impact and have contacted those customers affected. Customers who have not received an email have not been impacted,” Revolut said in a statement.The spokesperson said that “no funds have been accessed or stolen” and that customers can “continue to use their cards and accounts as normal”.
Revolut’s last publically available figures put its customer base at around 20 million, although UKTN understands that number is now closer to 23 million.
The cyberattack took place late on 10 September and was shut down by Revolut at approximately 02:00am the next morning. It stemmed from a Revolut employee being compromised by a phishing scam, in which an attacker sends a legitimate-looking message to trick the target into revealing sensitive information.
The attacker then used the employee’s stolen information to gain access to Revolut systems.
Revolut has been investigating the situation closely and is working with the Information Commissioner’s Office (ICO) and other authorities on the matter.
Revolut has also advised customers to be vigilant of suspicious emails, phone calls, and texts to avoid potential phishing scams following the attack.
Revolut said it is providing a free Experian security check service to affected customers.
Wave of cyberattacks
The Revolut cyberattack follows several other high-profile data breaches in September. Ride-sharing company Uber was the victim of an attack last week, which the company has said is connected to the hacker group Lapsus$.
Lapsus$ is thought to be in part based in the UK and was also linked to a recent data attack against video game company Rockstar. The attack saw dozens of images and videos of the studio’s upcoming game Grand Theft Auto VI being leaked.
“Users need to be extremely mindful of follow-up attacks where scammers could message claiming to be from Revolut as this type of information grabbing is typical in the aftermath of such a hack,” Jake Moore, global cybersecurity advisor at ESET, told UKTN. “Even though passwords are protected, it can often be peace of mind to change it just in case it is later discovered that more was compromised. It is vital customers keep their sensitive data and passcodes private however sure they might be that they are talking to advisors.”