Fintech Revolut has been exposed to a number of tens of thousands of customers' personal information, according to 50,150 according to Bleeping Computer. The breach occurred on a Sunday night, and it appears to be an attack with a specific purpose and focus.
According to a company spokesperson, an unidentified third party gained access to Revolut's systems "for a short period of time," in which they estimate that he was able to access the details of 0.16% of his customers. "It was necessary to prevent the attack from happening in the company," said the victim.
The company has already reported the security breach and its findings to the Lithuanian state data protection inspectorate, where Revolut has a banking license. No specific information has been provided on how the incident occurred, but everything appears to suggest that the breach was initiated using social engineering.
According to the Lithuanian data protection authority, the customer data that has been exposed is the following: email address, full name, postal address, telephone number, limited data of the payment card, and data of the invoice. Neither the details of the cards nor their PINs or passwords have been exposed. The attacker has also not gained access to the accounts of companies.
Revolut notes that the type of data that has been exposed varies depending on the client. In view of what occurred, clients should take special care with any message that asks for personal data or passwords, because the company, as they emphasize, will never ask them for sensitive information in this way.
In fact, there is already a phishing SMS campaign targeting Revolut customers to sway them into saying their card has been suspended in order to avoid possible fraud. They are also told that to request a new card they must click on a false link and follow a few steps. Otherwise, attackers might make purchases online or send money to accounts they control.