The State Data Protection Inspectorate has Initiated an Investigation Regarding Personal Data Breach in “Revolut”


2022 09 20


The State Data Protection Inspectorate (hereinafter referred to as SDPI), having received a notification of a personal data breach (hereinafter referred to as the PDB) from UAB “Revolut Bank”, UAB “Revolut Insurance Europe”, on its own initiative started an investigation into the aforementioned companies in order to assess whether there was a violation of the provisions of the General Data Protection Regulation (hereinafter referred to as the GDPR).

Brief information about the PDB:

  • According to preliminary data, access to the “Revolut” database was obtained through the use of social engineering methods;
  • Upon noticing the security incident, “Revolut's” security team took prompt action to eliminate the malicious attacker's access to the company's customer data and stop the incident;
  • According to the information provided, the data of about 50 150 customers worldwide (20 687 of them in European Economic Area), such as names, addresses, e-mail addresses, telephone numbers, part of the payment card data (according to the company, the cards numbers were masked), account details etc., could have been potentially affected during the incident.
  • The number of potentially affected users in Lithuania – 379.
  • The company stated that it is communicating with those customers whose personal data confidentiality was violated during this incident.
  • Customers are informed of the PDB by e-mail, they are provided with answers to questions they may have, and it is confirmed that funds in their accounts are not at risk, the steps “Revolut” has taken to protect customers are explained, etc.
  • “Revolut” is currently continuing its investigation into the cyber incident and personal data breach.
  • “Revolut” points out that it will not call or send SMS messages to its customers or ask for login data or access codes due to the incident, therefore any attempts to contact should be treated with suspicion.

Considering the fact that SDPI has already started an investigation on its own initiative concerning a possible personal data breach in the mentioned organisations, separate complaints of individuals shall not be considered. More information will be released after the investigation is complete.

Advice on Personal Data Security

SDPI urges residents to be alert and attentive in cyberspace. Cybercriminals are constantly looking for ways to make money at your expense and try to exploit human emotions in order to extract the information they need directly from you using social engineering techniques. Scammers usually follow the same principle – they try to force you to take actions without thinking about them after starting an emotional conversation.

Malicious attackers and fraudsters may try, using the publicised information about this breach of personal data security, to trick you with various login or other important personal data, offer some fictitious services and ask you to pay for them.

Be critical of who you provide your personal data to. Banks and other legitimate organisations or institutions usually do not ask for login data and personal information via e-mail, telephone or social networks. Be wary of any e-mail or SMS message that asks you for any personal information, and if in doubt, try to contact the official contact number of that organisation and ask what your personal data will be used for.

In order to protect yourself from various types of fraud and methods of enticing personal data, check the information provided or consult with reliable people before taking actions that could potentially harm you.

Another important factor is mindfulness, because social engineering relies on rushing the victims to make decisions without thinking and weighing their necessity, expecting them to act impulsively and irrationally. Do not make decisions in a rush and do not succumb to pressure.

In cases where e-mail addresses and telephone numbers are leaked, people may be exposed to potentially malicious SMS, e-mails or calls from scammers. SDPI urges people not to click on links received by e-mail or SMS, not to share their passwords, PIN codes, to be careful and critically evaluate the information they receive.