Fintech company Revolut has experienced a significant loss of over US$20 million due to the actions of malicious individuals who exploited a software vulnerability within its US payment system. This cyber security incident occurred over a period of several months in 2022 before the vulnerability was identified and resolved. Revolut has not yet made a public statement regarding the theft, according to The Financial Times (FT).
According to sources from FT, the software vulnerability caused communication issues between Revolut’s European and US payment systems. As a result, when certain transactions were declined, Revolut mistakenly refunded accounts using funds from the company itself rather than the appropriate account. Exploiting this flaw, malicious actors were able to steal approximately $23 million from Revolut.
These sources also revealed that although occasional instances of this refund issue had been flagged in 2021, organized criminals began taking advantage of the vulnerability in 2022. These criminal groups deliberately made large purchases that they knew would be declined, subsequently withdrawing the excess refunded money from their accounts via ATMs.
The extensive fraud scheme came to light when a partner bank based in the US notified Revolut that its funds were lower than expected. Subsequently, the software vulnerability was patched in the spring of 2022. While Revolut managed to recover some of the stolen funds by targeting those who had exploited the payment system error, the company ultimately incurred a loss of approximately $20 million.
Social engineering attack
In a separate incident on September 11, 2022, Revolut experienced a data breach in which a third party gained unauthorized access to the company’s database, compromising the personal information of 50,150 users. This breach was the result of a social engineering attack. The malicious actors were able to access data such as names, addresses, email addresses, and partial payment card information. Revolut has assured its customers that the compromised card details were hashed, providing an additional layer of security.