Former FinWise employee may have stolen sensitive data on 689,000 American First Finance customers

News
By published

A popular bank faces an insider threat

Two cybercriminals escape with stolen login credentials
(Image credit: Getty Images)
  • A former FinWise employee accessed sensitive data on 689,000 people more than a year after leaving the company
  • Victims likely include those with FinWise loans or accounts serviced by American First Finance, its technology partner
  • FinWise hired security experts, notified authorities, and offered credit monitoring

FinWise Bank, a Utah-based community bank, recently suffered an insider data breach when a former employee accessed sensitive customer data after their employment had ended.

In a new report filed with the Office of the Maine Attorney General, FinWise said that the breach happened on May 31, 2024, but was discovered more than a year later, on June 18, 2025. In total, sensitive data on 689,000 people was compromised.

While the filing does not detail the nature of the stolen files, a data breach notification letter, sent to affected individuals, mentions “full names” and other “data elements”.

Tricking GPT with a "mock-up" request

The company did not explain exactly how the ex-employee accessed the files.

FinWise did say that the data could be related to American First Finance (AFF), a financial services company that provides alternative consumer financing, especially for people with limited, or poor credit history.

FinWise contracts with AFF to offer installment loans to consumers,” the bank explained. “In this arrangement, FinWise is the lender and AFF is the technology provider. FinWise originates the loan and provides funds to the consumer. AFF is contracted to provide the application platform, facilitate the loan origination for FinWise, as well as service the loan on behalf of FinWise.”

The bank hints that those who have had, or applied for, a FinWise installment loan, a lease-to-own account, or a retail installment sales agreement account, are the likely victims of this incident.

After finding out about the attack, the bank did what all companies do when faced with a similar thing: brought in third-party security experts to assess the damage and analyze the attack, notified law-enforcement and other relevant authorities, reached out to affected individuals, and offered one year of free credit monitoring and identity theft protection. The name of the vendor was not disclosed.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.