FinWise Insider Breach Exposes 700K Customer Records to Former Employee

The incident, dubbed the FinWise insider breach, resulted in the exfiltration of sensitive customer records nearly 689,000 names, Social Security numbers, and other personal identifiers via direct SQL queries and unmonitored API endpoints.

The company discovered the breach on June 18, 2025, following anomalous activity flagged by its SIEM system, which detected unusually high volumes of data exports encoded in Base64 and transferred over SSH tunnels to an external IP address.

Despite multi-factor authentication (MFA) and role-based access controls (RBAC), the former employee leveraged residual privileges left in an archived service account.

Moving forward, American First Finance plans to implement just-in-time (JIT) access provisioning, enhance database encryption with AWS KMS, and deploy user behavior analytics (UBA) to detect anomalous insider activities. These measures aim to fortify their security posture and prevent future insider threats.

Read the complete article here: FinWise Insider Breach