Evolve Bank settles for $11.9 million over 2024 data breach

Evolve Bank & Trust settled a class action lawsuit by plaintiffs representing approximately 18 million victims of a 2024 data breach at the bank. The settlement will cost the bank $11.9 million.

The settlement will effectively cost the bank, headquartered in West Memphis, Arkansas, roughly 66 cents per victim whose identifying information was compromised, not including other costs such as attorney fees, staff time spent on investigating and reputational damages.

While the bank had told the state attorney general of Maine last year that the total number of people affected by the breach was 7.6 million, the settlement documents submitted to the U.S. District Court for the Western District of Tennessee indicate that the private information of 18 million U.S. persons who directly or indirectly provided it to Evolve was included in files affected by the data incident.

How the settlement will be divided

Of the $11.9 million settlement, the settlement administrator, Kroll, will receive between $108,050 and $178,100. The attorneys representing the data breach victims could receive up to one third of the settlement fund, which comes to $3.8 million, not including an additional “reimbursement of costs,” according to the settlement.

Each of the 14 class representatives in the case will receive $2,500. The millions of other class members will be eligible for up to $3,000 if they can document such losses were the result of the data incident.

The remainder from the settlement fund will go to class members who apply for a flat cash payment. This flat payment will come out to approximately $20 each, to be adjusted based on the number of class members who respond, according to court documents.

The number of victims (18 million) vastly outnumbers the dollar amount in the settlement fund allocated to victims (less than $8 million if the victims’ attorneys receive their full third of the fund). Yet, the flat cash payment each member is eligible to receive is estimated to be $20.

These amounts suggest the two sides of the settlement expect no more than than 1 in 46 victims (roughly 2%) to respond to the class action notifications and claim their flat cash.

How the data breach happened

The data breach that led to the settlement this week occurred between February and May 2024 and was publicly disclosed in late June that year. Data involved included names, dates of birth, Social Security numbers, driver’s license numbers and contact information.

Evolve named LockBit as the threat actor that compromised the customer data after an employee “inadvertently clicked on a malicious internet link,” according to a June statement from the bank. Evolve also said it did not pay the ransom the group demanded, which is why the group leaked the data it stole.

The breach affected both victims who directly bank with Evolve, which has branches in Arkansas and Tennessee, and many of the fintech partners the bank has sponsored. In the days after Evolve acknowledged the data breach, its fintech partners including Affirm, Bilt Rewards, Branch, EarnIn, Melio, Mercury, Wise and Yieldstreet either told customers or confirmed to American Banker that their data had been affected.

Affected fintechs said the Evolve breach did not compromise any of their customers’ account credentials, and Evolve itself said it had found no evidence that the criminals behind the attack accessed any customer funds.