Evolve Mortgage Services Data Breach: 20TB Exposed, Including SSNs and Financial Account Information

On Sept. 24, 2025, Evolve Mortgage Services, a Texas-based provider of outsourced mortgage services and technology platforms for financial institutions, discovered suspicious activity in its network. The incident potentially affects thousands of individuals whose mortgage information was processed by Evolve on behalf of various financial institutions.

The breach is believed to have occurred between Sept. 17 and Sept. 24, 2025.

This incident was linked to a ransomware attack by the group INC RANSOM, which claimed to have stolen 20 terabytes of data, including two terabytes of sensitive databases The attackers reportedly accessed and exfiltrated a wide array of personally identifiable information provided to Evolve by its financial institution clients.

According to the ransomware group’s dark web posting on Oct. 30, 2025, the stolen data included Social Security numbers, scans of client IDs, home and work addresses, personal and work phone numbers, full credit histories and confidential PII forms dating back to 2016.

Current public disclosures have noted that the following information types were confirmed to be included in the exposure: name, Social Security number, driver’s license number, government-issued ID number, and financial account information.

The breach was officially disclosed to the California Attorney General and the New Hampshire Attorney General on Feb. 4, 2026. The total number of individuals affected has not been released, but at least ten New Hampshire residents were impacted.

Evolve Mortgage Services (on behalf of financial institutions)'s response

After identifying the breach, Evolve engaged third-party cybersecurity specialists to investigate and secure its systems. The company replaced hardware, implemented additional security measures and revised its data protection policies and procedures to help prevent future incidents.

For those affected, Evolve is offering twelve months of complimentary credit monitoring and identity protection services through Cyberscout, a TransUnion company. Impacted individuals are encouraged to enroll in these services within ninety days of receiving their notification letter.

Evolve has also advised affected individuals to remain vigilant for the next twelve to twenty-four months by regularly reviewing credit reports and account statements for suspicious activity.

Given the severity and method of the breach, it is especially important for those notified to:

• Enroll in the offered credit monitoring and identity protection services
• Monitor credit reports for unfamiliar accounts or inquiries
• Consider placing a fraud alert or credit freeze with the major credit bureaus
• Report any signs of identity theft or fraud to the appropriate authorities

Additional resources and detailed instructions for protecting personal information are included in the notification letter and are available through Cyberscout.