The challenger bank Dave revealed in a blog over the weekend that personal data for all 7.5 million of its users has been compromised.
The company did not respond to a request for an interview, but did relay the details of the breach in a blog.
The security lapse happened at Waydev, a third-party service provider Dave used, the Los Angeles company said. Waydev's software analyzes software developers’ output and productivity. Waydev did not respond to a request for an interview.
The stolen information included names, passwords, email addresses, birth dates, physical addresses and phone numbers. Bank account numbers, credit card numbers, transaction records and Social Security numbers were not affected, Dave said.
“Dave has no evidence that any unauthorized actions were taken with any accounts or that any user has experienced any financial loss as a result of this incident,” the company said.
The company also said that as soon as it became aware of this incident, it initiated an investigation, which is ongoing. It also said it's coordinating with law enforcement, including with the FBI, “around claims by a malicious party that it has ‘cracked’ some of these passwords and is attempting to sell Dave customer data,” the Dave blog stated.
Dave is notifying all customers about the incident and is performing a mandatory reset of all Dave customer passwords.
Dave also retained CrowdStrike, a leading cybersecurity consultant, to assist.
Bryan Becker, product manager at WhiteHat Security, said the breach is a warning to all financial services firms.
"For a defense posture that remains active, compliance isn’t enough, particularly in banking,” he said. “You must continuously patch systems and build security into your software throughout the entire development life cycle to protect it from threats that continue to get smarter with each attempted attack.”
