Revolut lost $20m due to payment flaw
Hackers capitalised on differences between European and US payment systems
Malicious actors capitalised on a flaw in Revolut's payment processing system, resulting in the theft of over $20 million from the fintech company in 2022.
As reported by the Financial Times, citing multiple sources with knowledge of the incident, the flaw originated from differences between European and US payment systems, leading to the incorrect refunding of funds using Revolut's own capital when certain high-value transactions were declined.
Revolut's systems were unable to detect the mass fraud, which impacted Revolut's corporate funds instead of customer accounts.
The issue was initially identified in late 2021, but before it could be resolved, cybercriminals exploited the vulnerability, resulting in the theft of approximately $23 million from the company's funds.
According to the FT, cybercriminals adopted a deliberate strategy of making substantial purchases that they knew would be declined. They would then withdraw the excess refunded money from their accounts through an ATM.
The issue came to notice after a partner bank in the US alerted Revolut that it held a lower amount of cash than anticipated.
Revolut's US subsidiary requested significant cash injections from its parent company, following which, the company diligently worked towards resolving the flaw, which was ultimately addressed around the spring of 2022.
Although Revolut managed to recover a portion of the funds by targeting those responsible for exploiting the payment system error, the company still incurred a substantial loss of approximately $20 million, representing nearly two-thirds of Revolut's annual net profit in 2021.
Revolut chose not to publicly disclose the incident, and consequently, the related loss was not specifically reported in the delayed 2021 results.
Auditor BDO raised concerns, stating that Revolut's revenues may have been "materially misstated" due to their inability to verify the "completeness and occurrence" of approximately two-thirds of the reported revenues for 2021.
This incident is expected to increase the pressure on Revolut, especially considering that the company is still awaiting its banking licence in the UK.
In 2020, the UK's Financial Conduct Authority ordered an independent review of Revolut's policies aimed at preventing and detecting financial crimes.
In recent months, Revolut has experienced significant departures, including the chief executive of its UK bank, James Radford, and the chief financial officer, Mikko Salovaara.
Joel Kass, the chief of staff and head of banking products for Revolut's UK entity, is also scheduled to depart from the company.
Revolut data breach in 2022
In September 2022, Revolut suffered a data breach where a third party gained unauthorised access to the company's database, compromising the personal information of thousands of users.
According to the breach disclosure made to the State Data Protection Inspectorate in Lithuania, which is the jurisdiction where Revolut holds a banking licence, a total of 50,150 customers worldwide were affected by the breach.
In an email sent to the affected customers, Revolut reassured that the hackers did not gain access to any card data, PINs or passwords. However, the company acknowledged that the attackers may have obtained customer information such as names, addresses, email addresses, dates of birth and phone numbers.
The attack originated when a Revolut employee became a victim of a phishing scam, which is a common method used to gain unauthorised access to corporate systems.
In 2019, Revolut announced its intention to establish a new hacking unit tasked with monitoring the dark web for potential threats. The company said the unit would conduct simulated hacks on Revolut's own infrastructure to assess and strengthen its cybersecurity defences.