Full Report
FinWise Bank is warning on behalf of corporate customers that it suffered a data breach after a former employee accessed sensitive files after the end of their employment. [...]
Analysis Summary
# Incident Report: Insider Data Access at FinWise Bank
## Executive Summary
FinWise Bank experienced a data security incident where a former employee inappropriately accessed sensitive customer files after their period of employment ended. This breach, which was discovered on May 31, 2024, impacted approximately 689,000 customers of its corporate partner, American First Finance (AFF). FinWise has launched an investigation, strengthened internal controls, and is offering credit monitoring services to affected individuals.
## Incident Details
- Discovery Date: May 31, 2024
- Incident Date: On or around May 31, 2024 (when access occurred post-employment)
- Affected Organization: FinWise Bank (impacting customers of American First Finance)
- Sector: Financial Services/Banking
- Geography: Not explicitly stated, but involving US entities (Maine AG filing cited)
## Timeline of Events
### Initial Access
- Date/Time: On or shortly before May 31, 2024 (Access occurred *after* employment ended)
- Vector: Insider Threat (Former Employee)
- Details: A former employee was able to access sensitive FinWise data subsequent to their employment termination.
### Lateral Movement
- Details: Not specified in the report, but implied successful navigation to sensitive files.
### Data Exfiltration/Impact
- Details: Files containing customer information, including full names and other personal data elements, were accessed. The exact volume and full list of exposed fields were redacted.
### Detection & Response
- Date: May 31, 2024
- Detection: FinWise discovered the unauthorized access.
- Response actions taken: Launched an investigation with outside cybersecurity professionals, strengthened internal controls, and began notifying affected customers, offering 12 months of free credit monitoring and identity theft protection.
## Attack Methodology
- Initial Access: Insider Threat (Unauthorized access by a former employee).
- Persistence: Not explicitly detailed, but access was maintained post-termination.
- Privilege Escalation: Not specified.
- Defense Evasion: Not specified, but the access occurred after the employee was terminated, suggesting a systemic weakness in off-boarding procedures.
- Credential Access: Implied continued use of prior credentials or access methods.
- Discovery: Not applicable (Attacker was an internal actor).
- Lateral Movement: Not specified.
- Collection: Accessing and potentially downloading/copying sensitive customer files.
- Exfiltration: Not explicitly detailed, but access implies removal or exposure of data.
- Impact: Unauthorized viewing and potential compromise of PII belonging to 689K AFF customers.
## Impact Assessment
- Financial: Not specified, though the company is facing multiple class-action lawsuits.
- Data Breach: PII of 689,000 American First Finance customers exposed, including names and other personal data elements.
- Operational: No specified operational outage mentioned, but internal controls were assessed and strengthened.
- Reputational: Negative impact resulting in multiple class-action lawsuits.
## Indicators of Compromise
- Network indicators: None provided (defanged).
- File indicators: None provided.
- Behavioral indicators: Unauthorized access by a former employee post-termination.
## Response Actions
- Containment measures: The company launched an investigation upon discovery. Access was likely revoked immediately upon detection.
- Eradication steps: Strengthened internal controls to reduce the risk of similar incidents.
- Recovery actions: Offering 12 months of complimentary credit monitoring and identity theft protection services to impacted individuals.
## Lessons Learned
- Key takeaways: Failure to immediately and completely revoke all access permissions for departing employees remains a critical security risk that materialized in this incident.
- What could have been done better: Immediate review and revocation of all digital access rights upon employee termination are crucial, especially for those with access to sensitive customer data.
## Recommendations
- Prevention measures for similar incidents: Implement rigorous, automated off-boarding checklists to ensure all system access, including VPN, application logins, and physical access credentials, are disabled immediately upon the cessation of employment. Conduct post-termination access audits for high-privilege accounts.