The **2024 FinWise data breach** was an insider threat incident where a **former employee** exploited retained credentials to gain unauthorized access to FinWise Bank’s systems on **May 31, 2024**. The breach remained undetected for **over a year**, during which the ex-employee leaked **sensitive personal data of 689,000 customers** of American First Finance (AFF). The delayed discovery (June 18, 2025) exacerbated the damage, leading to **legal action, regulatory scrutiny, and reputational harm**. Allegations suggest the stolen data was **poorly encrypted**, compounding the risk of misuse. The breach underscored critical failures in **access control, encryption, and monitoring**, highlighting systemic vulnerabilities in FinWise’s security governance. Customers faced potential fraud and identity theft risks, while the bank suffered **irreversible financial and reputational losses**, reinforcing the need for proactive insider threat mitigation and robust encryption frameworks like **key management systems (KMS)** and **centralized access controls**.
TPRM report: https://www.rankiteo.com/company/finwise-bank
"id": "fin3092030102225",
"linkid": "finwise-bank",
"type": "Breach",
"date": "5/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '689,000 (American First Finance '
'customers)',
'industry': 'Banking/Finance',
'name': 'FinWise Bank',
'type': 'Financial Institution'},
{'customers_affected': '689,000',
'industry': 'Finance',
'name': 'American First Finance (AFF)',
'type': 'Financial Services Provider'}],
'attack_vector': ['Unauthorized Access (Retained Credentials)',
'Insider Threat (Former Employee)'],
'customer_advisories': ['Notifications sent to affected AFF customers in June '
'2025'],
'data_breach': {'data_encryption': ['Allegedly Inadequate or Poorly Managed'],
'data_exfiltration': 'Yes',
'number_of_records_exposed': '689,000',
'personally_identifiable_information': ['Customer Names',
'Potentially '
'Financial/Contact '
'Details (implied)'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)']},
'date_detected': '2025-06-18',
'date_publicly_disclosed': '2025-06',
'description': 'The 2024 FinWise data breach was caused by unauthorized '
'access from a former employee using retained credentials. The '
'breach exposed sensitive personal information of 689,000 '
'American First Finance (AFF) customers. The incident went '
'undetected for over a year (from May 31, 2024, to June 18, '
'2025), raising concerns about FinWise Bank’s encryption '
'practices, access controls, and insider threat detection '
'capabilities. Lawsuits allege inadequate data security '
'measures, leading to legal action, regulatory scrutiny, and '
'reputational damage.',
'impact': {'brand_reputation_impact': ['Severe Damage',
'Loss of Customer Trust'],
'customer_complaints': ['Public Criticism', 'Lawsuits'],
'data_compromised': ['Personally Identifiable Information (PII)'],
'identity_theft_risk': ['High (Due to PII Exposure)'],
'legal_liabilities': ['Lawsuits Alleging Inadequate Encryption',
'Potential Regulatory Fines'],
'operational_impact': ['Legal Actions',
'Regulatory Scrutiny',
'Reputational Damage']},
'initial_access_broker': {'entry_point': 'Retained Credentials (Former '
'Employee)',
'high_value_targets': ['Customer PII Database']},
'investigation_status': 'Ongoing (as of 2025-06; lawsuits and regulatory '
'scrutiny active)',
'lessons_learned': ['Insider threats require proactive detection and '
'prevention (e.g., credential revocation, anomaly '
'monitoring).',
'Encryption alone is insufficient without robust key '
'management and access controls.',
'Centralized encryption platforms (e.g., D.AMO) can '
'mitigate risks by enforcing role-based access and '
'isolating keys.',
'Delayed breach detection exacerbates financial, legal, '
'and reputational damage.'],
'post_incident_analysis': {'root_causes': ['Failure to revoke former '
'employee’s credentials promptly.',
'Lack of anomaly detection for '
'unauthorized access.',
'Potentially weak or improperly '
'managed encryption.',
'Absence of centralized key '
'management and access controls.']},
'recommendations': ['Implement automated credential revocation for former '
'employees.',
'Deploy comprehensive encryption solutions with '
'integrated key management (e.g., D.AMO).',
'Enhance monitoring for abnormal access patterns, '
'especially for privileged users.',
'Adopt centralized access control and audit logging '
'(e.g., D.AMO Control Center).',
'Conduct regular security audits to validate encryption '
'and key management practices.',
'Train employees on insider threat risks and data '
'handling policies.'],
'references': [{'source': 'Penta Security (Sponsored Article)'}],
'regulatory_compliance': {'legal_actions': ['Lawsuits Filed by Affected '
'Customers']},
'response': {'communication_strategy': ['Customer Notifications (June 2025)']},
'threat_actor': 'Former Employee (Insider)',
'title': 'FinWise Data Breach (2024)',
'type': ['Data Breach', 'Insider Threat'],
'vulnerability_exploited': ['Poor Credential Management',
'Lack of Access Revocation for Former Employees',
'Inadequate Encryption',
'Lack of Anomaly Detection']}