TL;DR
- A former FinWise employee accessed sensitive customer files on May 31, 2024; the incident was discovered over a year later and disclosed this year — affecting about 689,000 American First Finance (AFF) customers.
- Reportedly exposed data elements include names, addresses and other personally identifying information; some state notices allege Social Security numbers and account numbers may have been accessed.
- If you are an affected customer: monitor financial accounts, enroll in offered credit monitoring, be alert for phishing/impersonation attempts, and follow the “What to do now” steps below.
What happened (short)
FinWise Bank — which partners with fintechs like American First Finance to provide lending and deposit services — disclosed that a former employee retained or gained unauthorized access and acquired customer data on May 31, 2024. The company says it discovered the access in mid-2025 and notified regulators and affected individuals; reporting and public filings place the number of impacted people at roughly 689,000.
Why this matters
- Insider threats are different: when access is legitimate (employee credentials) the attacker may see large data sets and avoid noisy external detection. That can increase dwell time and the volume of data exposed.
- Sensitive fields reported: public notices reference names, addresses and other customer data; some notices allege potentially more sensitive identifiers were accessible. That raises identity-theft and fraud risk for impacted customers.
- Delay in discovery: discovery occurred well after the initial access — late discovery complicates containment and notification, and is a factor in litigation and regulatory scrutiny.
Confirmed facts (what companies / filings say)
- FinWise reported the incident date as May 31, 2024 and public disclosure / state notices followed after discovery.
- Public filings and news outlets cite approximately 689,000 impacted American First Finance customers.
- FinWise engaged external cybersecurity experts, offered credit monitoring to affected customers, and is facing legal action related to disclosure timing and controls.
What to do now — immediate steps for consumers
- Confirm if you were notified: check emails or letters from FinWise / American First Finance. If you received a notice, follow the instructions and enroll in offered credit monitoring.
- Monitor accounts & credit: check bank/credit card statements weekly for 60–90 days and watch for unfamiliar charges or new account openings.
- Be phishing-ready: attackers often use stolen PII to craft convincing phishing and vishing (phone) scams. Verify requests via official channels — don’t click links in unsolicited emails/SMS.
- Consider a fraud alert or credit freeze: if you detect misuse of identity or financial information, contact your credit bureaus to place fraud alerts or freezes where available.
- Update passwords and MFA: for any related online accounts (loan portals, email, banking), rotate passwords and enable MFA/passkeys where possible.
Short IR/SOC checklist for financial institutions
- Review and revoke any orphaned service accounts or access tokens associated with the ex-employee account(s).
- Preserve forensic evidence: collect logs, snapshots, database query logs, and cloud access events for the suspected timeframe.
- Search for signs of unauthorized exfiltration: large exports, unusual cloud downloads, atypical SQL queries, or mass report generations.
- Notify regulators and affected parties per applicable breach laws; coordinate with outside DFIR and legal counsel.
- Perform an access-control and offboarding audit to close similar gaps (disable access on termination, rotate shared keys, adopt least privilege).
SOC / SIEM hunts (copy-paste defensive)
# Splunk: detect large DB exports or report generations
index=db OR index=web "SELECT" "FROM" "customer" OR "accounts"
| transaction src_ip user maxspan=30m
| stats sum(bytes) as total_bytes by src_ip, user, uri_path
| where total_bytes > 5000000
# Cloud storage access (AWS CloudTrail): many GetObject calls from single principal
eventSource=s3.amazonaws.com eventName=GetObject
| stats count by userIdentity.arn, sourceIPAddress, requestParameters.bucketName
| where count > 200
# Detect many distinct record reads / exports in short time (generic)
index=* "SELECT" "FROM" "WHERE"
| transaction user maxspan=1h
| where eventcount > 100
| stats count by user, src_ip
Defensive Sigma & YARA examples
# Sigma: suspicious mass export via DB queries
title: Suspicious large DB export from customer database
logsource:
product: database
detection:
selection:
query|contains:
- 'SELECT * FROM customer'
- 'SELECT * FROM accounts'
condition: selection
level: high
# YARA: look for dumped files containing 'ssn' / 'social_security' / 'account_number'
rule Possible_FinWise_Dump
{
meta:
author = "CyberDudeBivash"
date = "2025-10-11"
strings:
$s1 = "ssn" ascii
$s2 = "social_security" ascii
$s3 = "account_number" ascii
condition:
any of ($s*)
}
MITRE ATT&CK quick map
| Tactic | Technique | Notes |
|---|---|---|
| Initial Access | T1078 (Valid Accounts) | Former employee used existing/retained credentials. |
| Discovery | T1083 (File & Directory Discovery) | Searching for customer data stores / exports. |
| Collection | T1119 (Automated Collection) | Automated staging of records prior to exfiltration. |
| Exfiltration | T1041 | Exfil via cloud storage, SFTP, or direct downloads. |
Product & service picks — quick (affiliate cards)
Kaspersky Endpoint Security
EDR detection, rollback & containment for endpoints. Useful for preventing insider exfil from admin workstations.
Protect with KasperskyEdureka — Upskill SOC / IR Teams
Training for cloud IR, DFIR, and offboarding/security operations to reduce insider risk.
Train SOC teams (Edureka)TurboVPN — Secure Remote Access
Secure connectivity for remote staff and vendors; use with strict access controls and MFA.
Get TurboVPNHashtags:
#CyberDudeBivash #FinWise #DataBreach #InsiderThreat #IdentityTheft #IR #SecurityOps #ThreatIntel