Revolut security breach affects 50,000 customers

Hackers accessed the personal data of 50,000 Revolut customers this month, and a phishing campaign imitating the company soon followed, though the company did not confirm whether the events were linked.

As first reported by Bleeping Computer, Lithuania's State Data Protection Inspector said in a Sept. 16 disclosure about the breach that the exposed data may have included names, addresses, emails, postal addresses and telephone numbers.

Revolut, a challenger bank headquartered in London, primarily serves European customers but has started expanding its U.S. presence. Revolut has a banking license in Lithuania, where the government frequently publishes information about data breaches affecting its citizens.

Revolut told the Lithuanian inspector that hackers did not get payment card numbers. The company told customers they could use their accounts normally, and a company spokeswoman said "no funds have been accessed or stolen" and that "customers' money is safe — as it always has been."

The spokeswoman said Revolut has "nearly half a million" customers in the U.S. but did not say how many Americans the data breach affected. The Lithuanian inspector said the breach impacted 50,150 people, including 20,687 people in the European Economic Area and 379 in Lithuania.

Revolut told customers on Sept. 15 about the breach, which reportedly happened on Sept. 11.

Lithuania's inspector said Revolut had "taken prompt action to eliminate the attacker's access to the company's customer data and stop the incident." The company also said it had reached out to customers affected by the breach and that customers who had not received an email were not affected.

"We take incidents such as these incredibly seriously, and we would like to sincerely apologize to any customers who have been affected by this incident as the safety of our customers and their data is our top priority at Revolut," the spokeswoman said.

The Lithuanian inspector said social engineering was behind the breach and that the company was still investigating.

Researchers at University College London noted after news of the breach broke that Revolut customers had started receiving phony text messages telling them their new debit card was on the way. Some of the messages came from a number Revolut had previously used for legitimate communications with customers.

The same day hackers reportedly initiated the breach, Revolut said that a number of users had received inappropriate messages via the company's in-app customer support system.