2024-07-01 Affirm Holdings, Inc. Cybersecurity Incident

Page last updated on July 1, 2024

Affirm Holdings, Inc. initially disclosed a cybersecurity incident in an SEC 8-K filing on 2024-07-01 17:25:26 EDT.

Company Summary

Affirm is a financial technology services company that offers installment loans to consumers at the point of sale.

Incident Details

Material: Unknown
Is Breach: TRUE
Records Compromised: Unknown
Data Types Impacted: No Data Types Tracked (yet)

Compromised Date:
Detected Date: 2024-06-25
Disclosure Date: 2024-07-01
Contained Date: 2024-07-01
Recovered Date:

Attack Goal: Unknown

Costs: No Costs Tracked (yet)

Filings

8-K filed on 2024-07-01

Affirm Holdings, Inc. filed an 8-K at 2024-07-01 17:25:26 EDT
Accession Number: 0001820953-24-000027

Item 8.01 Other Events.

On June 25, 2024, Evolve Bank & Trust (“Evolve”), the third-party issuer of the Affirm Card, notified the Company that Evolve had experienced a cybersecurity incident whereby a third party gained unauthorized access to personal information and financial information (“Personal Information”) of Evolve retail banking customers and the customers of its financial technology partners. Because the Company shares the Personal Information of Affirm Card users with Evolve to facilitate the issuance and servicing of Affirm Cards, the Company believes that the Personal Information of Affirm Card users was compromised as part of Evolve’s cybersecurity incident. However, the Company’s information systems were not compromised, nor was the ability for Affirm Card holders to continue using their Affirm Card. This incident has not impacted any other part of the Company’s business or operations.

Upon being notified of the Evolve cybersecurity incident, the Company immediately began an investigation independent of Evolve’s investigation to determine whether any Affirm Card user Personal Information had been compromised, and that investigation, along with remediation efforts, is ongoing as of the date of this Current Report on Form 8-K (the “Filing”). Evolve has communicated to the Company that this cybersecurity incident has been contained. However, the full scope, nature and impact of the incident on the Company and Affirm Card users, including the extent to which there has been unauthorized access to Affirm Card user Personal Information, are not yet known. The Company has notified law enforcement and all Affirm Card users of the Evolve cybersecurity incident. Affirm Card users continue to be able to transact with their Affirm Cards, and the Company heightened its fraud monitoring.

As of the date of this Filing, the Company does not expect that the Evolve cybersecurity incident is reasonably likely to have a material impact on the Company, including its financial condition or results of operations.

Company Information