Financial technology giant Finastra is notifying victims of a data breach after their personal information was stolen by unknown attackers who first breached its systems in October 2024.
London-based Finastra provides financial services software applications to more than 8,100 financial institutions across 130 countries, including 45 of the world’s top 50 banks.
As the company warned in breach notification letters sent to those impacted by the breach, the security incident was first detected on November 7 after Finastra identified malicious activity on some of its systems.
“Our investigation revealed that an unauthorized third party accessed a Secure File Transfer Platform (SFTP) at various times between October 31, 2024 and November 8, 2024. Findings from the investigation indicate that on October 31, 2024, the unauthorized third party obtained certain files from the SFTP,” the fintech giant said.
“Finastra has no indication the unauthorized third party further copied, retained, or shared any of the data. We have no reason to suspect your information has or will be misused. As a result, we believe the risk to individuals whose personal data was involved is low.”
While Finastra has yet to share the number of individuals affected by the data breach and the nature of the exposed data (besides victims’ names), the company started sending breach notification letters last week to at least 65 people in the state whose financial account information was stolen (according to filings with the Attorney General’s office in Massachusetts).
The financial services company also provides two years of free credit monitoring and identity restoration services through Experian to those whose information was exposed or stolen in the attack.
Although Finastra disclosed very limited information in filings with Attorney General offices, the breach is believed to be linked to a (now-deleted) post made by a threat actor known as “abyss0” on the BreachForums online cybercrime community claiming to sell 400GB of data allegedly stolen from Finastra’s network.
​When BleepingComputer asked about the forum post in November, a Finastra spokesperson would neither confirm nor deny if the data belonged to the company, only saying that they had suffered a limited-scope security breach and were evaluating its impact.
“On November 7, 2024 Finastra’s Security Operations Center (SOC) detected suspicious activity related to an internally hosted Secure File Transfer Platform (SFTP) we use to send files to certain customers,” Finastra told BleepingComputer.
Finastra was also forced to take some of its systems offline in March 2020 to contain what Tom Kilroy, the company’s Chief Operating Officer at the time, described as a ransomware attack.
While the company didn’t share how the attackers gained access to its systems, cyber threat intelligence firm Bad Packets found that Finastra had multiple Pulse Secure VPN and Citrix ADC (NetScaler) unpatched servers before the attack.
A Finastra spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today to provide more details on the October 2024 data breach.