FinWise Bank is warning on behalf of corporate customers that it suffered a data breach after a former employee accessed sensitive files after the end of their employment.
“On May 31, 2024, FinWise experienced a data security incident involving a former employee who accessed FinWise data after the end of their employment,” reads a data breach notification sent by FinWise on behalf of American First Finance (AFF).
American First Finance (AFF) is a company that offers consumer financing products, including installment loans and lease-to-own programs, for a diverse range of products and services. Customers use AFF to apply for and manage the loans, with the company handling the services, account setup, repayment process, and customer support.
FinWise partners with American First Finance by serving as the bank that originates and funds these loans.
According to a filing with the Maine Attorney General’s office, American First Finance disclosed that the FinWise Bank data breach impacted the data of 689,000 of its customers. The filing included a notification letter prepared by FinWise on behalf of American First Finance, confirming that the bank itself was the source of the incident.
FinWise said that files containing customer information, including full names and other personal data elements, were accessed during the breach, but redacted the complete list of exposed data breach notification.
The company did not disclose how the ex-employee was able to access this data after they were no longer employed or the total number of people impacted by the FinWise breach.
Upon discovery, the bank launched an investigation with outside cybersecurity professionals to assess the scope of the exposure.
FinWise says it has strengthened internal controls to reduce the risk of similar incidents and is offering 12 months of free credit monitoring and identity theft protection services to those impacted.
BleepingComputer contacted FinWise Bank to learn more about the breach, but a FinWise spokesperson said they do not comment on ongoing litigation.
However, the company shared a link to a recent quarterly SEC filing (June 30, 2025 Form 10-Q), in which the company notes that approximately 600,000 people were impacted, a number similar to the one cited by American First Finance.
The company is now facing multiple class-action lawsuits related to the data breach.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
Source link
