British fintech company Revolut has confirmed that it has been the victim of a “targeted cyber attack” in which an attacker gained access to tens of thousands of users’ personal data.
This was reported by the press secretary of Revolut UKTN that an “unauthorized third party” accessed the data of 32,000 customers, representing 0.16% of its customer base, “for a short period of time.”
In total, the data of just over 50,000 users was compromised, but around 18,000 of those were people who registered a Revolut account but did not complete the sign-up process.
Compromised customer data included names, email addresses, date of birth, phone numbers and mobile device type, the spokesperson said UKTN. Revolut said it did not gain access to payment details or passwords.
“We immediately detected and isolated the attack to effectively limit its impact and contacted affected customers. Customers who did not receive the email are not affected,” Revolut said in a statement.
A spokesman said “no funds were received or stolen” and that customers could “continue to use their cards and accounts as normal”.
Revolut’s latest publicly available data shows its customer base to be around 20 million UKTN understands that number is now closer to 23 million.
The cyber attack occurred late at night on September 10 and was stopped by Revolut at around 02:00 the next morning. This was due to a Revolut employee being compromised using a phishing scam, in which the attacker sends a legitimate message to trick the target into revealing sensitive information.
The attacker then used the employee’s stolen information to gain access to Revolut’s systems.
Revolut is closely investigating the situation and is working with the Information Commissioner’s Office (ICO) and other authorities on the matter.
Revolut also advised customers to be vigilant about suspicious emails, phone calls and text messages to avoid potential phishing after the attack.
Revolut said it was providing a free Experian security check service to affected customers.
A wave of cyber attacks
The Revolut cyberattack follows several other high-profile data breaches in September. Ride-sharing company Uber was the victim of an attack last week that the company says is associated with the hacker group Lapsus$.
Lapsus$ is believed to be partially based in the UK and has also been linked to a recent data attack on video game company Rockstar. The attack led to the leak of dozens of images and videos of the studio’s upcoming game, Grand Theft Auto VI.
“Users should be extremely careful about the following attacks, where fraudsters can send messages pretending to be Revolut, as this type of information capture is typical after such a hack,” said Jake Moore, ESET Global Cyber Security Advisor. UKTN. “Even though passwords are secure, it’s often safe to change them just in case it’s later discovered that others have been compromised. It is vital that customers keep their sensitive details and access codes confidential, however confident they are when speaking to advisers.”