Revolut breach impacts thousands, but no funds 'accessed'

More than 50,000 users' details were exposed

Image:
More than 50,000 users' details were exposed

The attack began, as many do, with a phishing scam

Challenger bank Revolut has fallen victim to a cyber attack, where a third party was able to see users' personal details.

A spokesperson told BleepingComputer that hackers compromised data belonging to 0.16% of its customers"for a short period of time".

That sounds small, but Revolut claims to have more than 20 million personal banking customers, which would mean at least 32,000 people's details were exposed - and in fact, Revolut itself has admitted the breach has affected more than 50,000 individuals.

Revolut discovered the unauthorised access on 10th September, and was able to contain the incident by the following morning.

As per the breach disclosure to the State Data Protection Inspectorate in Lithuania, where Revolut holds a banking licence, 50,150 customers have been affected by breach worldwide.

The hackers did not access any card data, PINs or passwords, the company said in an email sent to affected customers, which was posted on Reddit by a user.

The breach disclosure does, however, state that the attackers may have accessed partial card payment data, along with customer names, addresses, email addresses, dates of birth and phone numbers.

The attack seems to have started after a Revolut employee fell victim to a phishing scam - a common way of gaining entry to corporate systems.

Recent attacks on a number of well-known firms, such as Twilio, Okta, Uber and Mailchimp, have used this strategy.

Revolut has notified impacted customers, and says those who have not received an email have not been affected.

The company is now investigating the incident, and is cooperating with the Information Commissioner's Office (ICO) and other authorities.

Revolut has created a special team to monitor customer accounts, to ensure that customers' money and data are safe. It is also advising customers to watch for suspicious emails, phone calls and text messages to avoid potential phishing scams.

Like other banks, Revolut says it will never phone or send SMS messages to customers to request login information or access codes.

The Revolut cyber attack comes in the wake of a number of other high-profile data breaches this month.

Ride-sharing firm Uber suffered a cyber attack last week, and Rockstar Games was breached over the weekend, resulting in the source code for its upcoming game, Grand Theft Auto 6, being stolen.