Insider Breach at FinWise Bank Exposes Data of 689,000 AFF Customers
A shocking revelation has come to light about a data breach at FinWise Bank, a Utah-based community bank that partners with fintechs and lenders to offer consumer loans, small business financing, and deposit services. The breach, which occurred on May 31, 2024, exposed the sensitive information of 689,000 American First Finance (AFF) customers.
FinWise Bank, an FDIC-insured institution, had partnered with AFF to provide consumer loans while managing applications, originations, and servicing. However, a former employee's actions have left the bank reeling, as they maintained access to AFF data after leaving their position.
The Investigation Reveals Negligent Behavior
An investigation conducted with the support of external cybersecurity professionals has shed light on the circumstances surrounding the breach. According to the findings, the former employee did not intentionally access sensitive information beyond their employment period. However, it is unclear whether their negligence put FinWise loans, AFF lease-to-own accounts, or retail installment sales agreements linked to affected individuals at risk.
FinWise Bank has acknowledged that a data security incident occurred on May 31, 2024, and notified the Maine General Attorney's office about the breach. The notification reads: "On May 31, 2024, FinWise experienced a data security incident involving a former employee who accessed FinWise data after the end of their employment. Some of the data impacted includes American First Finance’s (“AFF’s”) data."
The Consequences and Support Offered
The breach has left 689,000 AFF customers vulnerable to identity theft and other forms of exploitation. To mitigate this risk, FinWise Bank is offering 12 months of free credit monitoring and identity theft protection services to the affected individuals.
"FinWise contracts with AFF to offer installment loans to consumers. In this arrangement, FinWise is the lender and AFF is the technology provider,"
reads the data breach notification published by the Maine General Attorney's office.A Call for Transparency and Accountability
While FinWise Bank has taken steps to address the breach, questions remain about the bank's handling of sensitive information. The incident highlights the need for transparency and accountability in the financial services industry.
As a journalist, I will continue to monitor this situation and provide updates as more information becomes available.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon