Unauthorized Access by Former Employee Reveals Sensitive Data of 700K FinWise Customers
======================================================================
In a recent development, FinWise Bank, a Dallas-based financial services firm, has experienced a data breach. The breach, discovered on June 18, 2025, affected over 689,000 personal data records, including full names, mailing addresses, Social Security numbers, dates of birth, financial account numbers, and credit histories.
The breach was executed by an insider who leveraged residual privileges left in an archived service account, despite multi-factor authentication (MFA) and role-based access controls (RBAC) being in place. The data environment of FinWise Bank included customer data stored in Amazon RDS instances within a Virtual Private Cloud (VPC).
Following the detection of anomalous activity by the firm's SIEM system, the breach was contained through rapid account revocation, log analysis, and password resets across all internally used credentials. The data was segmented by strict security groups to minimise the potential impact.
The insider breach resulted in the exfiltration of sensitive customer records. Maine residents were particularly affected, with 208 of them receiving tailored breach notifications consistent with regulatory guidelines under Maine's Data Breach Notification Law. As the Maine resident count exceeded 1,000, consumer reporting agencies have also been notified.
In response to the breach, FinWise Bank has taken immediate steps to safeguard its customers' data. The firm plans to implement just-in-time access provisioning and enhance database encryption with AWS KMS. Additionally, user behavior analytics (UBA) will be deployed to detect anomalous insider activities.
To assist affected customers, the firm offered 24 months of complimentary identity theft protection and credit monitoring through IDX. Services include real-time credit alerts, identity restoration services, and dark web scanning.
Electronic notifications were issued to all affected customers on July 29, 2025, adhering to Section 5B of the Gramm-Leach-Bliley Act. Associate General Counsel Jason Griggs submitted the notification.
The FinWise insider breach marks a significant event in the financial industry, underscoring the importance of robust cybersecurity measures and data protection protocols. FinWise Bank is taking the necessary steps to rectify the situation and ensure the security of its customers' data going forward.
Read also:
- IM Motors reveals extended-range powertrain akin to installing an internal combustion engine in a Tesla Model Y
- Ford Embraces Silicon Valley Approach, Introducing Affordable Mid-Sized Truck and Shared Platform
- Future Outlook for Tesla in 2024: Modest Expansion in Electric Vehicle Sales, Anticipated Surge in Self-Driving Stock
- Vegetable oils are similarly utilized in the process of road cleaning.
