Evolve Bank & Trust has agreed to pay more than $11.8 million to settle a class action lawsuit over a 2024 ransomware attack that exposed the personal and financial information of countless customers. A federal judge granted final approval to the settlement on December 15, 2025, bringing closure to a case that highlighted serious vulnerabilities in the bank's data security practices.
The settlement, which is now closed to new claims, resolves allegations that the Arkansas-based institution failed to maintain adequate safeguards to protect sensitive customer data from the LockBit ransomware group.
What Happened: The 2024 Data Breach
The trouble began in February 2024, when hackers first gained unauthorized access to Evolve Bank's systems. They struck again in May. The bank didn't immediately realize it was under attack—when system irregularities first appeared in late May, IT staff initially suspected hardware failures.
Further investigation revealed the actual culprit: an employee had clicked a malicious link, opening the door for attackers to infiltrate the network and download customer data from databases and file shares.
The compromised information was extensive. Hackers accessed names, Social Security numbers, dates of birth, driver's license numbers, bank account numbers, contact information, and in some cases, debit card numbers and ACH transaction records complete with routing numbers. This represents precisely the type of data identity thieves prize most highly.
The breach didn't just affect direct customers of Evolve Bank & Trust. Because the institution serves as a banking partner for various fintech companies, customers of services like Affirm and Wise also had their information exposed. In all, most personal banking customers, mortgage holders, trust account holders, small business clients, and users of these partner platforms were affected.
For those whose data was stolen, the risk extends far beyond the immediate aftermath of the breach. Social Security numbers can be used to open fraudulent credit accounts years later. Bank account details enable unauthorized transfers. The exposure creates a lasting vulnerability that victims will need to monitor for the foreseeable future.
The Legal Claims Against Evolve Bank
The multidistrict litigation filed against Evolve Bank centered on a straightforward allegation: negligence. Plaintiffs claimed the bank failed to implement reasonable security measures to protect the sensitive information entrusted to it.
Financial institutions occupy a unique position of responsibility. They handle the most intimate details of their customers' financial lives—Social Security numbers, account balances, transaction histories. With that access comes an obligation to maintain security standards commensurate with the sensitivity of the data.
When breaches occur, courts examine whether institutions took reasonable steps to prevent unauthorized access. Did they follow industry-standard practices? Were their defenses appropriate given the known threat landscape? These questions form the foundation of negligence claims in data breach litigation.
The Evolve case reflects mounting scrutiny of how banks protect customer information. As cyberattacks grow more sophisticated and frequent, the legal system has raised the bar for what constitutes adequate security. Customers are no longer willing to accept breaches as inevitable, and courts have shown increasing willingness to hold institutions accountable when preventable failures occur.
Throughout the litigation, Evolve Bank denied wrongdoing. The settlement agreement includes no admission of liability. But the bank's willingness to pay more than $11.8 million speaks to the seriousness of the allegations and the risk the institution faced in continued litigation.
Settlement Terms and Consumer Compensation
The settlement fund exceeds $11.8 million, though affected customers needed to act quickly to claim their share. The deadline for filing claims was October 30, 2025, with earlier deadlines of October 15, 2025, for those wishing to opt out of the settlement or object to its terms. Following a fairness hearing on November 14, 2025, the court granted final approval about a month later.
Compensation varies depending on what losses a class member can document. Those who experienced concrete financial harm—fraudulent charges, costs associated with addressing identity theft, or other out-of-pocket expenses—could receive reimbursement up to $3,000. Documentation was required to support these claims.
Class members who couldn't point to specific financial losses weren't left empty-handed. They were eligible for a flat $20 payment, acknowledging the inconvenience and potential future risk created by the exposure of their information.
All class members also qualified for one year of free credit monitoring, including real-time alerts when new activity appears on their credit reports. The settlement provides identity theft insurance coverage up to $1 million for those who take advantage of the monitoring services.
How much each person ultimately receives depends on several factors. The number of valid claims filed affects the distribution. If relatively few people submit claims, individual payments could be higher. A flood of claims could reduce per-person amounts, particularly for those receiving the $20 base payment rather than claiming documented losses.
The structure of data breach settlements like this one reflects the varied nature of harm victims experience. Some people discover fraudulent accounts opened in their names within weeks of a breach. Others never see concrete financial losses but spend hours on the phone with credit bureaus and banks, freezing accounts and disputing charges that turn out to be legitimate. Still others face no immediate consequences but live with heightened anxiety about future identity theft.
Settlements attempt to account for this spectrum of harm, though critics sometimes argue that the compensation—particularly flat payments of $20 or similar amounts—doesn't adequately reflect the serious invasion of privacy and ongoing risk these breaches create.
Why This Settlement Matters for Consumers
The Evolve Bank settlement carries implications that extend beyond this particular institution and these specific victims.
For one, it reinforces that data security represents a legal obligation, not merely a best practice. Banks face real financial consequences when their security falls short. The more than $11.8 million settlement amount, while perhaps not devastating to a financial institution, sends a clear signal about the cost of inadequate safeguards.
The case also serves as a reminder of how common breach exposure has become. Cyberattacks targeting financial institutions aren't occasional anomalies—they're a persistent threat. The sophistication of groups like LockBit means even institutions with security measures in place remain vulnerable. Customers should assume the data they provide to banks and other financial services companies faces ongoing risk.
Class action litigation provides one of the few practical paths to accountability when breaches occur. Individual customers whose information was exposed might each face modest losses—a few hours of time, perhaps a small fraudulent charge that was reversed. Pursuing individual legal action over such losses wouldn't be economically feasible. Class actions allow affected consumers to pool their claims and, collectively, demand compensation that would be impossible to obtain individually.
The settlement underscores that "reasonable safeguards" isn't an abstract concept. It's a legal standard against which institutions' security practices are measured. What constitutes reasonable protection evolves as threats become more sophisticated, but the core principle remains: banks must implement security proportionate to the sensitivity of the information they hold.
What Affected Customers Should Know
If you were a customer of Evolve Bank & Trust—or if you used a fintech service that relies on Evolve as its banking partner—and you believe your information may have been exposed in the 2024 breach, the window for action has closed. The settlement deadline has passed.
The class included individuals in the United States who provided private information to Evolve Bank & Trust, either directly or indirectly through partner platforms, if that information was contained in files affected by the February and May 2024 intrusions.
Those who filed claims by the October 30, 2025, deadline needed to provide information establishing their eligibility and, if seeking reimbursement for documented losses, evidence supporting those expenses. Missing the deadline meant forfeiting any right to compensation under the settlement.
But whether or not you filed a claim, ongoing vigilance remains essential. Stolen data doesn't expire. Information taken in the 2024 breach could surface in fraudulent activity months or even years from now. Continue monitoring bank statements carefully. Review credit reports regularly—federal law entitles you to free reports from each of the three major credit bureaus annually at AnnualCreditReport.com.
Watch for warning signs: unfamiliar accounts appearing on credit reports, unexpected denials of credit, calls from debt collectors about accounts you didn't open, or missing financial statements that might indicate an address change you didn't authorize.
Class members who claimed the free credit monitoring through the settlement should take full advantage of it. These services provide real-time alerts when new accounts are opened or significant changes appear on credit reports, offering an early warning system that can help you catch fraud quickly.
If you discover fraudulent activity, act immediately. Contact the financial institution where the fraud occurred. File a report with the Federal Trade Commission at IdentityTheft.gov. Consider placing a fraud alert or credit freeze on your credit files. Document everything—you may need these records if identity theft issues persist.
The Broader Context of Financial Institution Data Breaches
Evolve Bank & Trust is far from alone in facing a significant data breach. Financial institutions have become prime targets for cybercriminals precisely because of the valuable information they hold.
The pattern repeats with troubling regularity: a bank or credit union discovers unauthorized access, launches an investigation, eventually notifies affected customers, and then faces litigation over whether its security measures were adequate. Some of these cases settle. Others proceed to trial. But the frequency of breaches shows no sign of declining.
Courts and regulators have responded by scrutinizing data security practices more closely. The legal standard for what constitutes "reasonable" security continues to evolve, generally in the direction of higher expectations. Settlements like Evolve's create financial incentives for institutions to invest in robust cybersecurity, though whether those incentives are sufficient to meaningfully alter institutional behavior remains an open question.
Consumer advocates argue that settlement amounts, while substantial in absolute terms, remain modest relative to the revenues of major financial institutions and don't adequately compensate victims for the lasting harm of having their most sensitive information stolen. Banks counter that they face a determined, sophisticated adversary in modern cybercriminal organizations and that even significant security investments can't guarantee immunity from breaches.
For consumers, the takeaway is sobering. The institutions holding your financial data—even those making good-faith efforts to protect it—face serious, ongoing threats. Perfect security doesn't exist. That reality makes personal vigilance not just prudent but necessary.
How to Claim Your Settlement
The Evolve Bank & Trust settlement is now closed. Affected consumers needed to act by October 30, 2025, to receive compensation.
The claims process required class members to verify their eligibility by confirming they held an account or provided information to Evolve Bank & Trust during the relevant period, either directly or through a partner platform. Those seeking reimbursement for documented losses needed to gather supporting evidence: fraud reports, identity theft affidavits, receipts for expenses incurred in addressing fraudulent activity.
Claims were submitted through the official settlement website at evolvesettlement.com. The site provided detailed instructions on what information was required and how to properly document losses to support claims exceeding the $20 base payment.
Those who filed claims should watch for payment distribution in the coming months. Settlement administration takes time as claims are reviewed, validated, and processed. If you submitted a claim, keep your contact information current so the settlement administrator can reach you when payments are issued.
The more than $11.8 million Evolve Bank & Trust settlement represents a meaningful, if imperfect, resolution for affected customers. Money can't undo the exposure of sensitive information or eliminate the risk of future identity theft. But compensation helps offset the real costs—both financial and in time and stress—that breach victims experience.
Whether this settlement will prompt meaningful changes in how Evolve Bank and other financial institutions approach data security remains to be seen. What's clear is that cyberattacks targeting financial data will continue, and customers must remain vigilant in protecting themselves even as they rightly demand better protection from the institutions they trust with their most sensitive information.