A data breach has created a ruckus reverberating through fintech—and reinforcing just how interconnected the sector's ecosystem really is.
These are the facts: On June 26, Evolve Bank & Trust said it had experienced a cyberattack and data breach, resulting in customers' data being exposed. Evolve, a financial services company devoted to Banking-as-a-Service companies, has counted companies like Affirm, Wise, Mercury, Bilt, Alloy, Stripe, Branch, Dave, and EarnIn among its customers, partners, or service providers.
And now at least some of these high-profile fintechs have been affected by the data breach. Wise, which worked with Evolve between 2020 and 2023, has said that it’s possible some of its customers have been affected. Mercury also said on social media that it has been affected by the breach, and has accordingly informed customers.
It doesn’t help matters that Evolve has been tied up in the messy bankruptcy proceedings of Synapse, a BaaS company that was backed by the likes of Andreessen Horowitz and 500 Global. The two companies were twisted together in a partnership—and the dissolution has been ugly, with both sides alleging mismanagement in court.
And though Synapse isn’t expressly linked to Evolve’s data breach, it’s another piece in the puzzle of just how deep problems at Evolve seem to run. Here’s another piece: In June, the Federal Reserve demanded Evolve improve its risk management systems around fintech partnerships.
The timing is rough for fintech as a whole—the space has fallen out of favor as prospective venture backers have moved on to other areas, like AI.
"It's coming at a bad time," said Nik Milanović, general partner at The Fintech Fund. "Which companies are being funded right now? Which companies are raising money?...A lot of people who were writing blog posts three years ago about fintech being the future are now writing the same blog post about other areas."
As fintech struggles to find its footing among possible backers, that brightened spotlight is both suboptimal and inevitable, given the inherently sensitive nature of supervising the money of others.
"It puts a lot more scrutiny on the ecosystem," said Sarah Hinkfuss, Bain Capital Ventures partner. "The word that comes to mind is trust, right? The customers trust that these fintechs are going to safekeep their information and their financial wellness…Those fintechs therefore have to be responsible for everyone that they're working with, for all of their counterparties, to make sure those counterparties are protecting that trust, because that's their most important asset."
Put simply, fintech is in the crosshairs—and is likely scathed.
"Calls for more scrutiny and higher, consistent standards vetting these partnerships have become especially relevant now," said NMI chief strategy officer Kate Hampton via email. "An outcome such as a serious security incident affecting multiple ecosystem stakeholders and their customers is damaging to fintech as a whole."
This all sounds like bad news, I know. But here’s some good news and a friendly reminder: On the ground level, the risks for customers are actually quite low—but make sure you have a password manager, said QED partner Amias Gerety.
"The personal risk is mostly low because personal credentials have already been breached in another scenario," Gerety told Fortune. "It's absolutely still a good reminder to engage in some personal hygiene around your cybersecurity, right? You definitely wouldn't go years without showering. You shouldn't go years without changing your passwords."
Ultimately, there’s a "this-story-has-everything" quality here: We haven’t even gotten to the senators who’ve sounded off, the fact that Evolve was targeted by Russia-linked hackers, or just how gnarly legal proceedings between Synapse and Evolve have become. But, for now, the most important thing to take away is this: The trouble playing out now is a story years in the making—and the outcome of an open secret.
"It’s worth just really hammering home this point: It was well-known in the fintech industry that Synapse had significant culture, technology, and operational challenges," said Gerety. "I don't think we can hold customers accountable for that, but I told every fintech CEO that asked: ‘Do not work with Synapse. Do not work with Evolve.’"
See you Monday,
Allie Garfinkle
Twitter: @agarfinks
Email: alexandra.garfinkle@fortune.com
Submit a deal for the Term Sheet newsletter here.
Joe Abrams curated the deals section of today's newsletter.