A US-based fintech company, FinWise, has alerted its customers about a potential data breach stemming from an insider threat. The organization, which facilitates loans on behalf of various American financial institutions, disclosed that a former employee accessed sensitive customer information after their departure from the company.
According to filings made with the Maine Attorney General’s Office, the breach has affected customers of American First Finance (AFF), a technology provider with whom FinWise partners to offer installment loans. In a letter notifying users, FinWise stated, “On May 31, 2024, FinWise experienced a data security incident involving a former employee who accessed FinWise data after the end of their employment.”
The extent of the breach is concerning, as it reportedly impacts approximately 689,000 individuals, with exposed data including full names and unspecified additional data elements. FinWise has not disclosed the exact method by which the former employee accessed this sensitive information but has initiated a formal investigation into the incident.
In response to the breach, FinWise has undertaken a range of precautionary measures to bolster data security. The firm is also offering free credit monitoring and identity theft protection services to those affected. The company emphasized that upon discovering the incident, they quickly engaged external cybersecurity experts to assess the situation and determine whether any sensitive data had been compromised.
Insider threats have become increasingly prevalent in recent years, with cybersecurity professionals voicing warnings about their potential to disrupt organizations. A 2024 report by Arctic Wolf revealed that 61% of organizations have identified insider threats, with 29% of these incidents resulting in data breaches. Furthermore, Verizon’s research indicated that 34% of all reported breaches were attributable to insider actions, highlighting the significance of this issue.
Many insider incidents are not the result of malicious intent but rather stem from poor cyber hygiene practices by employees. Various recent events have underscored the risks, showing that disgruntled former employees can act out against their previous employers. For example, a software developer was recently convicted for deploying a sabotage mechanism within their former organization, resulting in detrimental disruptions.
Experts continue to advocate for improved offboarding practices to mitigate these risks. Josh Kirkwood, a senior manager at CyberArk, noted that effective offboarding should not be an afterthought but rather a critical part of an organization’s cybersecurity strategy. This involves ensuring that former employees no longer have access to sensitive information and systems, a strategy which aligns with the MITRE ATT&CK framework’s focus on tactics such as initial access, persistence, and privilege escalation.
As the landscape of cybersecurity risks evolves, business owners must remain vigilant and proactive in understanding and mitigating insider threats. The FinWise incident serves as a crucial reminder of the potential vulnerabilities that lie within organizations and the need for robust security protocols to safeguard sensitive data and maintain trust with customers.
