July 29, 2024
Over the past several weeks, we have worked with Evolve to thoroughly investigate the security incident to understand how Mercury customer information was affected.
Except for select cases where customers will be notified directly, the following information was not exposed in the incident for Mercury users, based on Evolve’s analysis so far:
- Social security numbers
- Copies of identity documents such as driver's licenses and passport images
When we need to share this information with Evolve, it is shared via unique links that expire after 24 hours or a separate case management system. The investigation findings indicate that these unique URLs and information in the case management system were not exposed in the security incident.
Additionally, Mercury account credentials and passwords were not accessed — we do not share this information with any partners. Mercury’s own systems were not affected.
What information was exposed?
While we don’t have account-specific details, we share the following information with Evolve in the normal course of business and it’s likely that some of your company’s data was included: name(s), phone numbers, addresses, and email addresses for businesses and their beneficial owners, overall account balance, business bank account numbers, business EIN, and certain transaction information, including: the entities you transact with and their information such as the sender and receiver’s address, account number, and transaction amounts.
Why does Evolve have this information?
When you opened an account with Mercury, you signed documents that also opened an individual demand deposit account (DDA) with Evolve Bank & Trust. This means that you are the legal owner of your funds and are a direct client of the bank. This also means the information Mercury shares with Evolve includes all the information a bank is required to have on its customers.
Are my funds at risk?
We have seen no evidence of increased fraud against Mercury customers resulting from this incident. But as a reminder, we recommend the following preventative steps to keep your funds secure:
- We have robust monitoring for suspicious ACH pulls. If you notice a fraudulent ACH pull initiated against you, please dispute the transaction as soon as possible. You can view your recent ACH pulls here.
- You can further enhance the security of your accounts by enabling our ACH authorizations feature, which will flag any ACH pulls from unauthorized vendors and give you a chance to decline an ACH pull before it is processed. You can set this up by going to Payments > Authorizations from the sidebar navigation. Learn more here.
- If you’d like to change your account numbers out of an abundance of caution, contact helpdesk@mercury.com or reply to this email.
—
June 26, 2024
We recently became aware of a cybersecurity attack that breached the security systems of one of our partner banks, Evolve Bank & Trust, and leaked their records, including some account numbers, deposit balances, business owner names, and emails associated with Mercury and other fintech accounts.
Your Mercury account credentials — including your password — were not exposed (we do not share this information).
While we do not anticipate an increased risk of exposed Evolve account numbers being used fraudulently, Mercury is taking the following preventative steps to keep your funds secure:
- We have robust monitoring for suspicious ACH pulls. If you notice a fraudulent ACH pull initiated against you, please dispute the transaction as soon as possible. You can see recent ACH pulls here.
- You can further enhance the security on your accounts by enabling the ACH authorizations feature, which will flag any ACH pulls from unauthorized vendors and give you a chance to decline them before they are processed. You can set this up by going to Payments > Authorizations from the sidebar navigation; read more about this here.
- If, out of an abundance of caution, you’d like to change your account numbers, contact helpdesk@mercury.com.
We are thoroughly investigating the leaked data to understand what customer information is at risk. Additionally, Evolve has resources for complimentary credit monitoring on their website.