Cyber Incident Victim: Revolut
Date:
Sep 2022
Location:
Lithuania
Summary
A financial technology company suffered a cyberattack resulting in unauthorized access to personal data of over 50,000 customers, representing 0.16% of its user base. The breach, attributed to social engineering, exposed email addresses, full names, postal addresses, phone numbers, limited payment card information, and account details—though card security codes, PINs, and passwords remained uncompromised. Following the incident, attackers launched SMS phishing campaigns directing victims to fraudulent websites impersonating the firm to harvest card details. The organization confirmed customer funds were secure and accounts remained operational, while establishing a dedicated team to monitor for suspicious activity and addressing unrelated internal support system language issues.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 12, 2022, Revolut experienced a highly targeted cyberattack resulting in unauthorized access to personal data belonging to 50,150 customers globally. The financial technology company confirmed the breach impacted 0.16% of its user base, with 20,687 affected customers residing in the European Economic Area and 379 in Lithuania. Attackers obtained email addresses, full names, postal addresses, phone numbers, limited payment card information, and account-related data, though critical authentication credentials like passwords, PINs, and full card details remained uncompromised. Revolut clarified that customer funds were not accessed and normal account operations could continue without restrictions. Initial analysis indicated social engineering tactics likely facilitated the intrusion, though specific technical vectors were not disclosed. The company established a dedicated response team to monitor potentially affected accounts for suspicious activity and implemented direct notifications to impacted users. Security advisories warned customers about anticipated phishing campaigns attempting to exploit the breach.
Within days of the disclosure, threat actors launched SMS-based phishing operations directing recipients to a fraudulent domain, revolut-card-cancel[.]com, designed to harvest payment card details under the guise of canceling compromised cards. These campaigns leveraged stolen personal information from the breach to enhance credibility, with security analysts noting the potential for monetization of hijacked cards to finance additional attacks. Revolut reiterated that it would never proactively solicit sensitive information through unsolicited communications. Concurrently, the company addressed unrelated internal support system issues involving inappropriate language displayed in chat interfaces. A public apology acknowledged the operational disruption while emphasizing ongoing efforts to secure systems and assist affected customers. The incident highlighted secondary risks of data misuse beyond initial breaches, particularly through coordinated social engineering exploiting recent security events.