fintech Revolut has suffered a attack that exposed the personal information of several tens of thousands of customers: 50,150according to Bleeping Computer. The hack happened a few days ago, and it seems to be an attack with a very specific focus and purpose. It happened on a Sunday night, and at two in the morning of that same Monday, the attack was already isolated and contained.
According to a company spokesperson, an unauthorized third party had access to Revolut’s systems.”for a short period of time«, in which they calculate that he was able to access the details of 0.16% of his clients. In the company they identified and isolated the attack «immediately, to effectively limit its impact, and contact affected customers. Those who have not received an email have not been impacted«.
The company has already communicated the security breach and its details to State data protection inspectorate of Lithuania, where Revolut has a banking license. According to data provided by the company, there are 20,687 customers in the European economic zone affected. No data has been provided on how the attack occurred, but everything indicates that it was carried out through social engineering.
The customer data that has been exposed, according to the Lithuanian data protection agency, is the following: email address, full name, postal address, telephone number, limited data of the payment card and data of the bill. Neither the details of the cards, nor their PINs or passwords have been compromised. The attacker has also not obtained access to the funds of the entity’s clients.
However, in a message sent to an affected customer, Revolut notes that the type of data that has been exposed varies depending on the client. In view of what happened, the entity’s clients should take special care with any message that asks for personal data or passwords, because the company, as they emphasize, will never ask them for sensitive information in that way.
In fact, apparently, there is already a phishing SMS campaign targeting Revolut customers to try to get account owners at the entity to provide sensitive data, which tries to trick them into saying that their card has been frozen to prevent possible fraud. . They are also told that to request a new card they have to click on a false link and follow some instructions, which, of course, ask them to provide sensitive payment data for the card that they must not deliver. Otherwise, attackers could make purchases online or send money to accounts they control.
