Fintech icons on digital background showing data breach

Leading Fintech Firm Finastra May Have Lost 400 GB in Data Breach

Fintech giant Finastra has confirmed a data breach in which it saw some amount of internal information exfiltrated, but the exact amount remains in question.

The company, which is a fintech service provider for 45 of the 50 largest banks in the world, has sent out data breach notifications to customers. The breach is tied to postings on criminal underground outlet BreachForums that offered a total of 400 GB of zipped data. The hacker claims the cache contains a broad assortment of internal business information such as source code for the service’s apps, prebuilt virtual machines, documentation and employee credentials.

Data breach carried out by previously unknown hacker

The attacker goes by the handle “abyss0” and some digging by Krebs on Security revealed that they have previously offered a number of allegedly stolen databases for sale, though nothing of this magnitude before. The hacker first offered the Finastra data for sale in late October for $20,000 USD, dropping the asking price to $10,000 USD in a November 8 update. They have since removed their account and all threads about their data breach, as well as a Telegram account they had listed.

The fintech firm’s primary business is in processing digital wire and bank transfers for its clients, which total some 8,100 financial industry businesses around the world. The company is based in London, but has a presence in 42 countries and about 7,000 total employees. Finastra has issued a statement assuring customers that the data breach did not necessarily involve information from their accounts, but that it is still determining the “scope and nature” of what was taken.

That tracks with the hacker’s now-removed BreachForums posts, which primarily touted access to the company’s backup and archive files along with source code and documentation. The most concerning element was the claim of the inclusion of employee credentials, which could open more doors. But the fintech firm claims that only one of its secure file transfer (SFTP) platforms was impacted by the data breach, that it was not the “primary” platform for data transfers and that likely not all of its customers would be involved. However, it said that it would reach out individually to customers that might be impacted. It has also assured that malware was not deployed as part of the attack.

Jason Soroko, Senior Fellow at Sectigo, observes that it could take some time for the full extent of the damage to be known to the general public: “Analyzing stolen data in breaches like this is challenging because the volume and diversity of information across multiple company divisions or back office silos. It is difficult to map stolen files to specific customers and assessing the sensitivity of each piece of information. Sifting through logs and knowing what the adversary exfiltrated could take a long time. This process is complicated by varying data formats and storage locations, making it difficult to quickly determine the full impact.”

Only “certain” customers of fintech platform impacted

The Krebs reporting indicated that the data breach was the result of stolen credentials, something that Finastra has since confirmed as the “likely” origin of the attack. The fintech platform added that it observed no lateral movement by the attacker from the SFTP that was compromised. However, the company also said that its investigation of the “root cause”was still ongoing.

The fintech platform’s security policies are not known to the public, but lack of adequate multi-factor authentication (MFA) has been something of a theme in major breaches as of late. The FCC had to step in and order T-Mobile to improve their practices in this area (among other elements of their cybersecurity) as part of a consent decree established in October. Studies conducted over the last two years have shown that this is more of an issue with small-to-medium size businesses, but an Osterman Research study from September found that almost 95% of all companies do not apply the policy to all employees and a little over 99% still use vulnerable one-time-code methods for at least some of this access.

Finestra has dealt with at least one prior data breach, a 2020 ransomware attack that forced the company to take some of its infrastructure offline and disrupt service for several days after it opted to not pay the ransom. The reason for that breach was never formally confirmed, but security researchers at the time noted that the company had been running Citrix servers with known vulnerabilities and an older version of Pulse Secure VPN that was exploitable.

The hackers also mentioned exploiting IBM Aspera, a file transfer solution that has also seen several published vulnerabilities since 2022. The most recent of these were remediated in September of this year with the Faspex 5.0.10 update.

It is far from uncommon for data breaches to turn out to be worse than initially reported in the weeks and months that follow, but the financial industry is also under tighter reporting requirements than most.

Joshua Roback, Principal Security Solution Architect at Swimlane, does not see the scope or damage of this breach expanding in the future but does note that it highlights common points of weakness: “This incident … serves as a stark reminder to the broader financial industry of the critical need for proactive security measures coupled with comprehensive response plans. The financial services sector faces unique constraints due to the abundance of sensitive customer data, and straining team bandwidth, creating both a unique challenge for security teams and gaps for threat actors to exploit. As a result, 42% of financial organizations have experienced breaches with a total cost of $1 million or more.”

“While technological innovation and speed are essential in this industry, they are meaningless without a strong security foundation. As operations grow increasingly complex, this foundation will be essential to safeguarding customer data and assets. The threat actors in this attack leveraged stolen credentials to access the server, and high-speed data transfer technology to quickly exfiltrate sensitive data, highlighting the need for robust anomaly detection with fast and automated response capabilities. Overall, organizations must prioritize layered security strategies that focus on proactive threat detection, response, and investigation. Automating security processes can break down silos and improve efficiency, which is critical for financial institutions where security and fraud teams often don’t collaborate,” added Roback.

Trey Ford, Chief Information Security Officer at Bugcrowd, adds some detail and insight on how the rest of the investigation is likely to play out: “The first challenge in incident response is drawing the sandbox of what’s in scope, how systems and information were accessed, and what was taken. The process of inventory and impact – companies will retain outside counsel who will pull in a DFIR (data forensics /incident response) partner to drive the investigation, and will use specialized firms to inventory the data (intellectual property vs. privacy impacted data, etc…) to understand which customers, and which users were impacted. From there, the analysis is done to understand where the parties are based, and what privacy laws are impacted by the compromised data. These investigations can take weeks to months, depending on a wide variety of variables. “Right of Boom” – the actions and responses taken after the incident happens, the first priority is recovering positive control of the environment, and preventing re-compromise or further loss of control. The scope of impact often expands during that analysis. Concurrently, impacted data will be inventoried, and the notification clock starts – timelines to notifying impacted parties and data supervisory authorities or regulators.”