One of the most consequential bank hacks of the last few years was just revealed to the public. In a post uploaded to its website two weeks ago, the Arkansas-based Evolve Bank and Trust informed its customers that a “cybersecurity incident” involving Russian ransomware group LockBit resulted in the theft of an unspecified amount of customer information.

The hacker group, which has been the target of an international law enforcement operation for years, had originally claimed the hack was of the Federal Reserve, raising some eyebrows on Wall Street.

Instead, as the group’s dark net website reveals, the stolen cache of records allegedly relates to Evolve Bank and Trust customers and those at partner FinTech companies, reportedly including names of customers, Social Security numbers, dates of birth, and scans of driver’s licenses and IDs.

While we do not know the full extent of the hack and the leaks, the bank’s unique positionas a bridge between traditional finance and the startup FinTech, neo-banks point to a much more dire situation than many would like to admit.

Many key financial services firms, including big names like Wise, Mercury, Stripe, Affirm, and many more, have already communicated to their customers that some of their datamay have been included in the hack. I have personally received some of these emails from other accounts.

This relates to the looming bankruptcy of related banking provider Synapse, which acted as a middleman between FinTech firms and traditional banks like Evolve. Sens. Sherrod Brown (D-Ohio), Ron Wyden (D-Ore.), Tammy Baldwin (D-Wis.), and John Fetterman (D-Penn.) sent a letter on July 1 to the company demanding it make its customers whole. Evolve Bank, a major partner of Synapse, was also addressed in the letter. The alleged hack will now only escalate the situation.

Two factors make this alleged Evolve hack so devastating.

First, the scale and scope of the companies involved. The list of FinTech partners using Evolve’s banking license to issue financial accounts includes some of the largest institutions in the country, serving hundreds of millions of Americans. We will only know the true number of people affected once companies disclose whose data was compromised.

Second, federal laws required each company to collect significant personal and private data from its clients to provide to Evolve. Whether under the Bank Secrecy Act, the PATRIOT Act, the FDIC Customer Identification Program, Dodd-Frank Act, or the newly passed Corporate Transparency Act, the federal government mandates that customers hand over vast amounts of information and data that banks and financial institutions must retain to track down crime.

To comply with the myriad Know Your Customer and anti-money-laundering laws the government has imposed on financial institutions, each of these companies must collect and store the names, addresses, Social Security numbers, and ID scans of their customers to report to the Treasury Department. A nefarious Russian hacking group may now possess this information.

The scale of potential identity theft will only grow once criminals match this information with recent online breaches.

Some users have already reported phishing scams made possible by information from the hack, and yet more information may soon become available.

FinTech Substack writer Jason Mikula is one of the only journalists to cover this breach from the start. Evolve Bank sent him a cease-and-desist letter last week and threatened legal action if he reveals any information from the hacks.

Beyond the worries about a broader industry collapse surrounding FinTech, this episode should prove as a cautionary tale for those who push excessive Know Your Customer and anti-money-laundering laws for services that consumers use every day.

As I’ve previously reported on Return, one pending bill in the U.S. Senate would like to crack down even more on Bitcoin and cryptocurrency exchanges, requiring yet more personal data and even limiting the amount customers can withdraw without being labeled “suspicious.”

While attempts at a national privacy law are commendable, Congress and the Federal Trade Commission have focused too much on specific business models of various online companies rather than on creating legally enforceable penalties for hacks that endanger our private information and put us at risk of identity theft.

Instead of introducing more restrictions or requirements for companies to collect information to combat crime, we should ask whether the existing laws are putting us in greater danger. Common-sense rules that promote encryption, penalize bad actors, and minimize data collection would go a long way in protecting consumers from future harm.

Originally published here