16.09.2025
2 min
528
FinWise Bank reported a security incident: a former employee gained access to the bank’s internal files after being fired, which led to a leak of personal data of clients of its partner — American First Finance (AFF). According to a filing with the Maine Attorney General, the incident affected the data of approximately 689,000 AFF users. Victims are offered 12 months of free credit monitoring; several class action lawsuits have already been filed against the company.
The incident occurred on May 31, 2024: the ex-employee accessed FinWise files after the end of the employment relationship.
The compromised files contained full names and other personal attributes (the full list in the message has been redacted).
FinWise did not disclose how exactly the former employee gained access, or how many people in total were affected across all the bank’s clients.
The investigation is being conducted with the involvement of external cybersecurity experts; the bank claims to have strengthened internal access controls.
In the SEC 10-Q report dated June 30, 2025, the company tentatively estimates the scale at ~600 thousand people, which correlates with the AFF estimate.
Affected customers are offered annual credit monitoring and identity theft protection.
AFF provides installation loans and lease-to-own programs, and FinWise Bank acts as the originator bank and finances these loans. Insider threats are one of the most complex risk categories: they arise when offboarding processes (instant account shutdown, access token revocation, key rotation, SaaS/cloud entitlement verification) are incomplete or delayed. Critical for such environments are: Zero Trust, least privilege, logging, JIT permissions, regular role audits, and SSO/MFA without ghost logins.
AFF/FinWise customers should immediately activate the proposed monitoring, review recent bank/credit statements, enable transaction alerts, review credit freezes (where available), and be vigilant for phishing contacts that refer to the incident. This case reminds companies: the best defense against insiders is instant offboarding, centralized access control, and continuous activity monitoring.
