A US fintech player has notified customers that their personal information may have been compromised after a former employee accessed it.
The incident at FinWise Bank occurred on May 31 2024, but wasn’t discovered until over a year later, on June 18 2025, according to a filing with the Office of the Maine Attorney General.
“FinWise experienced a data security incident involving a former employee who accessed FinWise data after the end of their employment,” the breach notification letter reads.
“Some of the data impacted includes American First Finance’s (AFF’s) data.”
FinWise works with credit lender AFF to offer installment loans to consumers.
Read more on insider threats: 61% of US Companies Hit by Insider Data Breaches
According to the notification, 689,000 FinWise/AFF customers were impacted by the insider incident. In the notification letter, FinWise redacted most of the personal information categories relevant to the case, revealing only that customers’ full names were compromised.
“Upon learning of the incident, FinWise immediately launched an investigation in consultation with outside cybersecurity professionals who regularly investigate and analyze these types of situations to help determine whether any sensitive data had been accessed by the former FinWise employee after the end of their employment,” it added.
Utah-headquartered FinWise has offered affected customers 12 months of free credit monitoring and identity theft protection services, and urged them to place a fraud alert and/or security freeze on credit files, as well as obtain a free credit report.
“Additionally, you should always remain vigilant in reviewing your financial account statements and credit reports for fraudulent or irregular activity on a regular basis,” it added.
Most Firms Lack Insider Threat Detection
Exabeam CISO, Kevin Kirkwood, claimed 90% of organizations lack the resources to effectively detect and respond to insider threats.
“Organizations must do a better job of prioritizing and segmenting access to sensitive information to prevent one person from being able to access any and all information,” he added.
“In this case, the threat actor responsible had been let go by FinWise prior to the breach occurring, yet still had the knowledge needed to steal hundreds of thousands of client records.”
Kirkwood argued that CISOs should combine more investment in cyber defense with improved education programs for employees – keeping AI threats front of mind.
“Organizations must provide clear guidelines on reducing unnecessary or unauthorized access to sensitive information,” he explained.
