British fintech giant Finastra last week started sending written notifications to individuals who had their personal information stolen in a data breach.
The incident came to light in mid-November 2024, after a threat actor offered on an underground forum data allegedly stolen from the company’s systems. The hacker claimed the theft of 400 gigabytes of data.
At the time, Finastra acknowledged the data breach, saying that the attacker compromised an internal file-transfer application used by some of its customers, but refrained from sharing information on the scope of the incident, citing the ongoing investigation.
On February 12, however, the fintech firm informed the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) that it was sending data breach notifications to 65 Massachusetts residents, informing them that personal information was compromised in the incident.
In the notification letter, a redacted copy of which was submitted to the OCABR, Finastra reveals that, between October 31, 2024, and November 8, 2024, a threat actor accessed an internal secure file transfer platform multiple times, and that they exfiltrated certain files from the platform.
The stolen files, the company says, included personal information such as names, along with financial account information. Finastra is providing the impacted individuals with two years of free identity protection and credit monitoring services.
The company did not say how many individuals might have been affected, nor did it share other details on the cyberattack, albeit it said in November that it was not a ransomware attack and that no malware was deployed on its systems.
However, the wording in the notification letter, and the fact that the threat actor’s post on the underground forum was deleted relatively quickly, may suggest that the company engaged in negotiations with the intruder and paid up to have the stolen information deleted.
“Finastra has no indication the unauthorized third party further copied, retained, or shared any of the data. We have no reason to suspect your information has or will be misused. As a result, we believe the risk to individuals whose personal data was involved is low,” Finastra’s notification letter reads.
“This incident was limited to the one platform and there was no lateral movement beyond it. As part of our investigation, Finastra and third-party experts have conducted a thorough review of the data involved in this incident and have determined that the impacted data contained certain personal information related to a small, select number of Finastra customers. Importantly, we have notified all affected customers directly to provide resources and comply with all relevant notification obligations,” Finastra said, responding to a SecurityWeek inquiry.
*Updated with statement from Finastra.
Related: HPE Says Personal Information Stolen in 2023 Russian Hack
Related: 430,000 Impacted by Data Breaches at New York, Pennsylvania Healthcare Organizations
Related: Insurance Company Globe Life Notifying 850,000 People of Data Breach
Related: Change Healthcare Data Breach Impact Grows to 190 Million Individuals
