On September 11, 2022, Revolut — a UK/EU-based neobank and fintech company with over 20 million customers — suffered a brief but significant data breach via a social engineering attack. A threat actor used phishing techniques to trick a Revolut employee into granting access to internal systems, which were quickly isolated upon detection overnight. Approximately 50,150 customers were affected (0.16% of Revolut’s global user base at the time), including 20,687 EEA-based customers. Exposed data included names, postal addresses, email addresses, telephone numbers, and partial payment card details (masked card numbers only — no full card numbers, PINs, or passwords). No customer funds were accessed or transferred. Revolut notified affected customers directly and warned of heightened phishing risk from criminals who might use the stolen contact information. Revolut submitted its breach notification to the Lithuanian Data Protection Authority (VDAI), as Revolut holds its EU banking license through Lithuania. The attack occurred during the same period as the broader ‘0ktapus’ social engineering wave targeting tech companies (Twilio, DoorDash, etc.), though Revolut has not confirmed whether this attack was part of the same campaign.