Breach cyber

FinWise Bank

Sep 23, 2025 3 min read
FinWise Bank

FinWise Bank, a Utah-based financial institution specializing in embedded banking, disclosed a data breach affecting 689,000 individuals due to insider wrongdoing. The compromised data included full names, dates of birth, Social Security numbers, and account numbers, stored unencrypted. The breach was discovered on May 31, 2024, but notifications to victims were delayed until July 2025, over a year later, violating regulatory timelines and exposing victims to prolonged identity theft risks. The incident led to six class-action lawsuits seeking over $5 million in damages, citing negligence, breach of contract, and failure to safeguard PII. Plaintiffs demanded lifetime credit monitoring (instead of the offered 12 months) and mandatory encryption of all future data. The breach impacted FinWise’s fintech partner, American First Finance, whose customer loan data was accessed. FinWise faces reputational harm, financial penalties, and operational scrutiny, though it claims potential losses are immaterial to its $14.7M quarterly net income.

Source: https://www.americanbanker.com/news/finwise-waited-a-year-to-disclose-a-breach-affecting-689-000

TPRM report: https://www.rankiteo.com/company/finwise-bank

"id": "fin2992929092325",
"linkid": "finwise-bank",
"type": "Breach",
"date": "5/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': '689,000',
                        'industry': 'Financial Services (Embedded Banking)',
                        'location': 'Utah, USA',
                        'name': 'FinWise Bank',
                        'type': 'National Bank'},
                       {'customers_affected': '689,000 (Shared with FinWise)',
                        'industry': 'Consumer Lending',
                        'name': 'American First Finance',
                        'type': 'Fintech Partner'}],
 'attack_vector': 'Insider Wrongdoing (Unauthorized Access by Former Employee)',
 'customer_advisories': ['12-Month Credit Monitoring Offered (Deemed '
                         'Inadequate by Plaintiffs)'],
 'data_breach': {'data_encryption': 'No (Data Stored Unencrypted)',
                 'data_exfiltration': 'Likely (Dark Web Sale Implied)',
                 'number_of_records_exposed': '689,000',
                 'personally_identifiable_information': ['Full Names',
                                                         'Dates of Birth',
                                                         'Social Security '
                                                         'Numbers',
                                                         'Account Numbers'],
                 'sensitivity_of_data': 'High (SSNs, Account Numbers)',
                 'type_of_data_compromised': ['Personally Identifiable '
                                              'Information (PII)']},
 'date_detected': '2024-05-31',
 'date_publicly_disclosed': '2025-07-01',
 'description': 'FinWise Bank, a Utah-chartered financial institution '
                'specializing in embedded banking, disclosed a data breach '
                'affecting nearly 700,000 people (689,000 confirmed) due to '
                'insider wrongdoing. The breach involved unauthorized access '
                'to personally identifiable information (PII), including full '
                'names, dates of birth, Social Security numbers, and account '
                'numbers. The incident was discovered on May 31, 2024, but '
                'public disclosure and victim notifications were delayed until '
                'July 2025, sparking six class-action lawsuits seeking '
                'over $5 million in damages. Plaintiffs allege negligence, '
                'breach of contract, and unjust enrichment, citing unencrypted '
                'data storage and delayed disclosure as key failures. The '
                'breach primarily impacted customers of FinWise’s fintech '
                'partner, American First Finance, which facilitates '
                'installment loans. Lawsuits demand stronger encryption, '
                'lifetime credit monitoring, and regulatory compliance '
                'improvements.',
 'impact': {'brand_reputation_impact': 'Severe (Delayed Disclosure, Negligence '
                                       'Allegations)',
            'customer_complaints': 'Six Class-Action Lawsuits Filed',
            'data_compromised': ['Full Names',
                                 'Dates of Birth',
                                 'Social Security Numbers',
                                 'Account Numbers'],
            'financial_loss': '> $5,000,000 (Class Action Lawsuits)',
            'identity_theft_risk': 'High (Lifelong Risk Due to SSN Exposure)',
            'legal_liabilities': ['Six Consolidated Lawsuits in U.S. District '
                                  'Court for Utah',
                                  'Potential Regulatory Fines (Utah AG)'],
            'operational_impact': ['Legal Costs',
                                   'Regulatory Scrutiny',
                                   'Reputational Harm'],
            'payment_information_risk': 'Account Numbers Compromised',
            'systems_affected': ['American First Finance Loan Application '
                                 'Platform',
                                 'FinWise Bank Customer Data '
                                 '(Partner-Specific)']},
 'initial_access_broker': {'data_sold_on_dark_web': 'Implied (SSN + PII '
                                                    'Combination Valuable to '
                                                    'Criminals)',
                           'entry_point': 'Internal Systems (Employee Access)',
                           'high_value_targets': ['American First Finance '
                                                  'Customer Data']},
 'investigation_status': 'Ongoing (Litigation Phase)',
 'lessons_learned': ['Delayed disclosure exacerbates reputational and legal '
                     'risks.',
                     'Insider threats require stricter access controls and '
                     'monitoring.',
                     'Unencrypted PII storage violates industry standards and '
                     'increases liability.'],
 'motivation': ['Financial Gain (Potential)',
                'Unclear (Dark Web Data Sale Implied)'],
 'post_incident_analysis': {'corrective_actions': ['Defend lawsuits vigorously '
                                                   '(per SEC filing).',
                                                   'Potential court-ordered '
                                                   'encryption and monitoring '
                                                   '(if lawsuits succeed).'],
                            'root_causes': ['Insufficient access controls for '
                                            'employees.',
                                            'Failure to encrypt sensitive PII.',
                                            'Delayed breach disclosure (14+ '
                                            'months).']},
 'recommendations': ['Implement robust encryption for all customer data.',
                     'Enhance insider threat detection (e.g., behavioral '
                     'analytics, least-privilege access).',
                     'Comply with state breach notification timelines (e.g., '
                     'Utah’s ‘expedient’ requirement).',
                     'Offer lifetime credit monitoring for victims of SSN '
                     'exposure.',
                     'Conduct third-party risk assessments for fintech '
                     'partners.'],
 'references': [{'date_accessed': '2025-09-12',
                 'source': 'Maine Attorney General Data Breach Notification'},
                {'date_accessed': '2025-08-11',
                 'source': 'FinWise Bank Form 10-Q (SEC Filing)'},
                {'source': 'Class Action Lawsuit Consolidation (U.S. District '
                           'Court for Utah)'}],
 'regulatory_compliance': {'legal_actions': ['Six Class-Action Lawsuits '
                                             '(Consolidated)',
                                             'Potential Utah AG Enforcement'],
                           'regulations_violated': ['Utah Data Breach '
                                                    'Notification Law (Delayed '
                                                    'Reporting)'],
                           'regulatory_notifications': ['Maine Attorney '
                                                        'General (Disclosure '
                                                        'Filed)',
                                                        'Utah Attorney General '
                                                        '(Unclear Timing)']},
 'response': {'communication_strategy': ['Regulatory Filings (Maine AG)',
                                         'Public Disclosure (July 2025)'],
              'incident_response_plan_activated': 'Yes (Delayed)',
              'remediation_measures': ['Victim Notifications (Delayed)',
                                       '12-Month Credit Monitoring Offered']},
 'stakeholder_advisories': ['Victim Notifications (July 2025)',
                            'SEC Filing (August 2025)'],
 'threat_actor': 'Former FinWise Bank Employee',
 'title': 'FinWise Bank Data Breach Impacting 689,000 Individuals Due to '
          'Insider Wrongdoing',
 'type': ['Data Breach', 'Insider Threat'],
 'vulnerability_exploited': ['Inadequate Access Controls',
                             'Lack of Data Encryption']}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.