Hundreds of thousands of individuals have been impacted by an insider breach experienced by FinWise Bank.
FinWise Bank, a Utah-based provider of fintech solutions and banking services, has informed the Maine Attorney General’s Office on behalf of payment solutions provider American First Finance (AFF) that a data breach discovered last year has impacted 689,000 individuals.
The incident involved a former FinWise employee accessing data after their employment ended. No additional details have been shared, but the notification sent out to impacted individuals suggests the former employee accessed AFF data, specifically personal information.
“FinWise contracts with AFF to offer installment loans to consumers. In this arrangement, FinWise is the lender and AFF is the technology provider. FinWise originates the loan and provides funds to the consumer. AFF is contracted to provide the application platform, facilitate the loan origination for FinWise, as well as service the loan on behalf of FinWise,” FinWise explained in its notification.
“Please note that you may have had, or applied for, a FinWise installment loan, a lease-to-own account, or a retail installment sales agreement account with AFF which was impacted by this security incident,” impacted people have been told.
It’s unclear if the former FinWise employee accessed other data than one belonging to AFF. It’s also unclear whether the former employee acted maliciously or it was a case of negligence.
It’s not uncommon for disgruntled employees to gain access to their former employer’s systems following their termination, and their actions can result in significant disruption and financial loss.
The FinWise notification letter sent out to impacted individuals reveals that the incident took place in May 2024.
Affected individuals are being offered 12 months of free credit monitoring and identity theft protection services, which typically indicates that sensitive information such as Social Security numbers have been exposed and the information may be at risk of being misused.
SecurityWeek has reached out to FinWise. The company said it cannot comment on the issue, citing pending litigation filed by several of the individuals impacted by the data breach. FinWise pointed to a recent SEC filing that mentions the lawsuits and its intent to defend against them.
Related: 100,000 Impacted by Cornwell Quality Tools Data Breach
Related: UK Train Operator LNER Warns Customers of Data Breach
Related: Insider Threat: Tackling the Complex Challenges of the Enemy Within
Related: Orion Security Raises $6 Million to Tackle Insider Threats and Data Leaks with AI-Driven DLP
