06 October 2022

The UK’s most valuable fintech startup Revolut confirmed it was hacked in September, exposing data on more than 50,000 customers around the world.

News of the breach was disclosed on Friday, September 16 to the state data protection agency of Lithuania, where the company holds a banking licence.

The hack occurred the night of September 11 and affected just 0.16% of its customers, according to an email sent by the company to users who have been impacted by the attack.

London-based Revolut is valued at £29 billion according to Forbes and has over 20 million users in 200 countries, but it most popular in Europe and the UK.

The company said that it suffered “a highly targeted cyberattack from an unauthorised third party” that may have gained access to some of the user data for a short period of time. Revolut said exposed information varies for different customers, but mostly includes user names, addresses, emails, postal addresses, telephone numbers and part of the payment card data. Rick Jones, chief executive officer and co-founder, DigitalXRAID, said news of the Revolut data breach comes just weeks before the tenth anniversary of Europe’s Cybersecurity Awareness Month – this year focused on phishing attacks and highlighting why an individual should ‘Think Before U Click’. He added: “Considering Revolut’s breached customer data is now being used within targeted phishing and smishing attacks, it is critical that Revolut users stop and think before they click on any links and keep cybersecurity front of mind, to avoid any personal loss.”

Ian Farquhar, field chief technology officer (global), Gigamon said that while they may seem simplistic hacks for such a large organisations, social engineering and phishing attacks are becoming increasingly common and successful routes for cybercriminals.

“The insider threat is not to be underestimated – our recent research actually found that 71% of UK IT and Security leaders had seen phishing emails as a route for ransomware in the last year,” he continued. “While the workforce can be the first line of defence for an enterprise, they can also be susceptible to scams and accidental clicks that lead to huge disruption.”

Revolut reassured customers that no funds were stolen and no card details, PINs, or passwords were accessed.

Jones added that to protect their networks, organisations should also make use of phishing simulation services consulting on best practice with expert security partners, to test employees against the current and most dangerous scams and give feedback on how well they performed.

These exercises should be run often to reinforce good cyber hygiene and ensure security is always kept front-of-mind.

The Revolut app was founded in 2015 by Russia-born Nikolay Storonsky and Ukraine-born Vlad Yatsenko.