American First Finance, LLC, a Dallas-based financial services firm, suffered a significant insider breach when a recently terminated employee exploited unauthorized access to its production database.
The incident, dubbed the FinWise insider breach, resulted in the exfiltration of sensitive customer records nearly 689,000 names, Social Security numbers, and other personal identifiers via direct SQL queries and unmonitored API endpoints.
The company discovered the breach on June 18, 2025, following anomalous activity flagged by its SIEM system, which detected unusually high volumes of data exports encoded in Base64 and transferred over SSH tunnels to an external IP address.
Key Takeaways
1. 689K records exposed via insider database access.
2. Notifications sent July 29, 2025; 24-month IDX protection offered.
3. Incident contained; moving to JIT access, AWS KMS, and analytics.
American First Finance Data Breach
American First Finance’s data environment included customer data stored in Amazon RDS instances within a Virtual Private Cloud (VPC) segmented by strict security groups.
Despite multi-factor authentication (MFA) and role-based access controls (RBAC), the former employee leveraged residual privileges left in an archived service account.
Once authenticated, the insider executed automated SELECT statements across multiple schema tables, extracting PII in CSV format. The extracted dataset contained:
- Full names and mailing addresses
- Social Security numbers and dates of birth
- Financial account numbers and credit histories
According to a filing with the Maine Attorney General’s office, a total of 689,000 individuals were affected, including 208 Maine residents. Under Maine’s Data Breach Notification Law, consumer reporting agencies have been notified, as the Maine resident count exceeded 1,000.
American First Finance promptly engaged Mandiant for forensic analysis, confirming no evidence of lateral movement beyond the compromised account and no additional exploitation of externally facing systems.
Mitigations
On July 29, 2025, American First Finance issued electronic notifications to all affected customers, adhering to Section 5B of the Gramm-Leach-Bliley Act.
Maine residents received a tailored breach notification consistent with regulatory guidelines, including a copy of the official notice.
The firm offered 24 months of complimentary identity theft protection and credit monitoring through IDX, featuring real-time credit alerts, identity restoration services, and dark web scanning.
Associate General Counsel Jason Griggs, who submitted the notification, emphasized that the breach was contained through rapid account revocation, log analysis, and password resets across all internally used credentials.
“Our security operations center (SOC) moved swiftly to isolate the compromised credential and ensure no further unauthorized access,” stated Griggs.
Moving forward, American First Finance plans to implement just-in-time (JIT) access provisioning, enhance database encryption with AWS KMS, and deploy user behavior analytics (UBA) to detect anomalous insider activities. These measures aim to fortify their security posture and prevent future insider threats.
Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free
Source link
