Revolut data hack: what you need to know

Cyberattack exposes the data of over 50,000 customers 
Chiara CavaglieriSenior researcher & writer
Revolut card and app

Fintech Revolut has been hit by a cyberattack that exposed the data of over 50,000 customers, Which? Money reports, putting users at increased risk of identity theft and fraud. 

Now in its seventh year, Revolut has amassed more than 20 million global customers to date, with 4.8 million in the UK - its biggest market. The company was hit by a data breach late at night on Sunday 11 September, which it says affected less than 1% of its customer base.

The breach was identified by the early hours of Monday morning, however, personal data including customer contact details and account data had already been compromised. 

Be more money savvy

free newsletter

Get a firmer grip on your finances with the expert tips in our Money newsletter – it's free weekly.

This newsletter delivers free money-related content, along with other information about Which? Group products and services. Unsubscribe whenever you want. Your data will be processed in accordance with our Privacy policy

What Revolut customer data has been exposed?

Details of the data breach were published by the State Data Protection Inspectorate this week – the Lithuanian authority responsible for monitoring the application of data protection law – because Revolut is licensed and regulated by the Bank of Lithuania.

It said access to the Revolut database was breached through social engineering. A common example of this is an employee falling victim to a phishing scam and inadvertently sharing a password - though we don't know if that's what happened in this case.

The breach led to the data of 50,150 customers around the world being compromised, though no passwords or card Pins were accessible. 

The data that was exposed varied for different customers, but the list includes: contact details (name, email, phone number, postal address); partial debit card data (card numbers were masked and therefore unusable); account data (such as past transactions); and details of their device and last known IP address.

A Revolut spokesperson told Which? Money: ‘Revolut recently experienced a highly targeted cyber attack. This resulted in an unauthorised third party obtaining access to the details of a small percentage (0.16%) of our customers for a short period of time.

'We immediately identified and isolated the attack to effectively limit its impact and have contacted those customers affected. Customers who have not received an email have not been impacted. 

'To be clear, no funds have been accessed or stolen. Our customers’ money is safe - as it has always been. All customers can continue to use their cards and accounts as normal.

'We take incidents such as these incredibly seriously, and we would like to sincerely apologise to any customers who have been affected by this incident as the safety of our customers and their data is our top priority at Revolut.’

Revolut is working with the Information Commissioner’s Office in the UK, as well as other regulators and relevant authorities, as investigations proceed.

Make your money go further

Find the best deals, avoid scams, and grow your savings with our expert guidance. From only £4.99 a month, cancel anytime.

Join Which? Money

What has Revolut told data breach victims?

Revolut has contacted specific customers who have been affected by this incident by email, telling them that a special team will oversee their accounts and ensure their money and data remain secure. 

Affected customers do not need to take any specific action and can continue to use their cards and accounts as normal. However, you should be vigilant to suspicious activity, including suspicious emails, phone calls or text messages.

Revolut said it will not contact customers by phone or text asking for security codes or login data, so any attempts to access information in this way are fraudsters. 

Protect against fraud and identity theft

It’s likely that cybercriminals will increase phishing attempts in the wake of this attack, so all Revolut customers should be on high alert for texts and emails that may contain malicious links. 

Scammers may also pose as Revolut fraud staff over the phone, in an attempt to trick customers into divulging security details. Treat all phone calls about the data breach as potential fraud. 

Identity theft is a pressing concern for victims of this, or any other, data breach. 

Your name, address and date of birth can be enough information for a criminal to open bank accounts, obtain credit cards, loans and state benefits, and order goods as ‘you’. 

In the aftermath of a data breach, you should keep a close eye on any post delivered, and check your bank and credit card statements regularly. Set up any available bank alerts to notify you of activity on your accounts. 

Check your credit reports, too - you can do this for free.

You can also take more direct steps to prevent fraudsters from using your details:

  • Place a fraud alert on your credit report with any one of the three UK credit reference agencies – Experian, TransUnion or Equifax – for free. This means any lender processing a credit application in your name will know that you may be a victim of fraud or identity theft, and they will take extra steps to verify the applicant is really you before moving ahead with the application. When you add a fraud alert to one credit report, it will automatically be applied to your credit reports at all three credit reference agencies, so you only need to do this once. 
  • Sign up for Cifas protective registration service which will place a flag alongside your name and personal details in its ‘National Fraud Database’, costing £25 for two years. This means companies and organisations who are signed up as members of the database will see you’re at risk, and take extra steps to make sure it’s really you applying for products and services.

Find out more: spot and protect yourself from scams

More on this

Related articles

About Us

Which? Limited is registered in England and Wales to 2 Marylebone Road, London NW1 4DF, company number 00677665  and is an Introducer Appointed Representative (FRN 610689) of the following:


1. Inspop.com Ltd for the introduction of non-investment motor, home, travel and pet insurance, who are authorised and regulated by the Financial Conduct Authority (FCA) to provide advice and arrange non-investment motor, home, travel and pet insurance products (FRN310635). Inspop.com Ltd is authorised and regulated by the Financial Conduct Authority (FCA) to provide advice and arrange non-investment motor, home, travel and pet insurance products (FRN310635) and is registered in England and Wales to Greyfriars House, Greyfriars Road, Cardiff, South Wales, CF10 3AL, company number 03857130. Confused.com is a trading name of Inspop.com Ltd. 


2. LifeSearch Partners Limited (FRN656479), for the introduction of Pure Protection Contracts and Private Health Insurance, who are authorised and regulated by the FCA to provide advice and arrange Pure Protection Contracts and Private Health Insurance Contracts.  LifeSearch Partners Ltd is registered in England and Wales to 3000a Parkway, Whiteley, Hampshire, PO15 7FX, company number 03412386.


3. HUB Financial Solutions, for the introduction of equity release advice and an annuity comparison service, who are authorised and regulated by the Financial Conduct Authority (‘FCA’) to provide advice and guidance on financial products for those who have retired or are approaching retirement (FCA Firm Reference Number: 455713). HUB Financial Solutions is registered in England and Wales to Enterprise House, Bancroft Road, Reigate, Surrey RH12 7RP, company number 05125701.


4. Alan Boswell Insurance Brokers Ltd (FRN 301), for the introduction of non-investment landlord insurances, who are authorised and regulated by the Financial Conduct Authority to provide advice and arrange insurance contracts. Alan Boswell insurance brokers Ltd is registered in England at Prospect House, Rouen Rd, Norwich NR1 1RE, company number 02591252.


Other financial services:

Mortgage service provided by London & Country Mortgages (L&C), Unit 26 (2.06), Newark Works, 2 Foundry Lane, Bath BA2 3GZ. London & Country are authorised and regulated by the Financial Conduct Authority (registered number: 143002). The FCA does not regulate most Buy to Let mortgages. Your home or property may be repossessed if you do not keep up repayments on your mortgage.


We do not make, nor do we seek to make, any recommendations or personalised advice on financial products or services that are regulated by the FCA, as we’re not regulated or authorised by the FCA to advise you in this way. In some cases, however, we have included links to regulated brands or providers with whom we have a commercial relationship and, if you choose to, you can buy a product from our commercial partners. 


If you go ahead and buy a product using our link, we will receive a commission to help fund our not-for-profit mission and our campaigns work as a champion for the UK consumer. Please note that a link alone does not constitute an endorsement by Which?.