It was Revolut’s turn. Another day, another data breach in the crypto world. About a week ago, someone inside the company’s headquarters fell for a scam. According to Revolut, the social hackers only had access to the data “for a short period of time.” And the breach only affected 0,16% of their clients. Not too bad, right? Well, apparently the attackers got 50K people’s data and are already trying to scam them. Plus, they might’ve gotten control of Revolut’s website.
But let’s start at the beginning. The company’s banking license is registered in Lithuania, so Revolut reported the incident to that country’s State Data Protection Inspectorate. They are the ones that revealed that the attack was through social engineering. Revolut didn’t admit to that. The Lithuanian data protection agency also offered a jam-packed summary of the case that contains most of the facts:
“According to the provided revised information, the data of 50,150 customers around the world (including 20,687 in the European Economic Area), such as names, addresses, e-mails, may have been affected during the incident. postal addresses, telephone numbers, part of the payment card data (according to the information provided by the company, the card numbers were masked), account data, etc.”
And, to cover all the bases, here’s the definition of “social engineering” according to Investopedia:
“Social engineering is the act of exploiting human weaknesses to gain access to personal information and protected systems. Social engineering relies on manipulating individuals rather than hacking computer systems to penetrate a target’s account.”
What Does Revolut Admit To?
The company described the incident as a “highly targeted cyber attack” in which an “unauthorized third party” got access to a small percentage of users’ personal data. In a statement shared with Bleeping Computer, Revolut continued:
“We immediately identified and isolated the attack to effectively limit its impact and have contacted those customers affected. Customers who have not received an email have not been impacted.
To be clear, no funds have been accessed or stolen. Our customers’ money is safe – as it has always been. All customers can continue to use their cards and accounts as normal.”
Not too bad, right? Well, at least one customer who didn’t receive an email reports that he was contacted by the scammers. “I didn’t receive an email from you yet I receive a scam text message claiming it’s from Revolut. How did they get my number and know I had a Revolut account?,” JT tweeted a couple of days ago. He got a generic “Hi there! Could you please contact our support team via in-app chat regarding this?” as a response.
The company’s official statement ends with promises:
“We take incidents such as these incredibly seriously, and we would like to sincerely apologize to any customers who have been affected by this incident, as the safety of our customers and their data is our top priority at Revolut.”
Is there more to the story, though?
ETH price chart for 09/23/2022 on FTX | Source: ETH/USD on TradingView.com
There might’ve been more shenanigans going on, according to Bleeping Computer. Apparently, Revolut users reported that the support chat was displaying foul language near the time of the social engineering incident. The publication clarifies:
“While it is not clear if this defacement is related to the breach disclosed by Revolut, it shows that hackers may have had access to a wider range of systems used by the company.”
Did the hackers get access to more than the admitted data? Or was this a separate incident and the whole thing just a coincidence? Can we believe the reports? A couple of images prove nothing, and there are no dates on them. Why would the hackers deface the website if they were after money? On the other hand, maybe they did. And those messages might mean that they got more access than what Revolut admitted to.