Executive Summary
In January 2026, Figure Technology Solutions, a blockchain-based fintech lender, suffered a data breach exposing the personal information of approximately 967,200 customers. The breach was executed by the cybercriminal group ShinyHunters through a social engineering attack that deceived an employee into granting unauthorized access. The compromised data includes full names, email addresses, phone numbers, physical addresses, and dates of birth. ShinyHunters subsequently published 2.5GB of this data online after Figure declined to meet their ransom demands. This incident underscores the increasing prevalence of social engineering tactics targeting financial institutions, highlighting the critical need for robust employee training and advanced security measures to prevent unauthorized access. Organizations must remain vigilant against such sophisticated attacks to protect sensitive customer information and maintain trust.
Why This Matters Now
The Figure Technology Solutions breach exemplifies the escalating threat posed by social engineering attacks, particularly within the financial sector. As cybercriminal groups like ShinyHunters continue to refine their tactics, organizations must prioritize comprehensive security awareness training and implement stringent access controls to mitigate the risk of similar incidents.
Attack Path Analysis
The attackers initiated the breach by employing voice phishing (vishing) techniques to deceive a Figure Technology Solutions employee into providing access credentials. With these credentials, they escalated privileges by enrolling their own multi-factor authentication (MFA) devices, ensuring persistent access. Subsequently, they moved laterally within the cloud environment, accessing various SaaS platforms such as Salesforce and SharePoint. They established command and control by maintaining unauthorized access to these platforms. The attackers exfiltrated sensitive customer data, including personal and contact information of nearly 1 million accounts. Finally, they impacted the organization by leaking the stolen data online and issuing extortion demands.
Kill Chain Progression
Initial Compromise
Description
Attackers used voice phishing (vishing) to impersonate IT support, convincing an employee to provide access credentials.
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
Phishing
Valid Accounts
Brute Force
Exfiltration Over C2 Channel
Automated Exfiltration
Exfiltration Over Alternative Protocol
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security Awareness Training
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Training and Monitoring
Control ID: 500.14(b)
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity Verification and Authentication
Control ID: Identity Pillar
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Direct exposure to social engineering attacks targeting SSO systems, PCI compliance violations, and customer data exfiltration requiring enhanced egress security controls.
Banking/Mortgage
High vulnerability to vishing campaigns targeting loan applicant data, requiring zero trust segmentation and encrypted traffic monitoring for regulatory compliance.
Computer Software/Engineering
Critical risk from ShinyHunters targeting SSO platforms like Okta, Microsoft, Google requiring anomaly detection and threat response for multi-cloud environments.
Information Technology/IT
Systematic exposure to social engineering attacks compromising enterprise applications requiring enhanced visibility, policy enforcement, and secure hybrid connectivity solutions.
Sources
- Data breach at fintech firm Figure affects nearly 1 million accountshttps://www.bleepingcomputer.com/news/security/data-breach-at-fintech-firm-figure-affects-nearly-1-million-accounts/Verified
- Figure Technology Solutions Data Breach Claims Investigated by Lynch Carpenterhttps://www.globenewswire.com/news-release/2026/02/17/3239598/0/en/figure-technology-solutions-data-breach-claims-investigated-by-lynch-carpenter.htmlVerified
- Fintech lender Figure hit by data breach impacting 967k accountshttps://cyberinsider.com/fintech-lender-figure-hit-by-data-breach-impacting-967k-accounts/Verified
- Figure Technology Solutions Confirms Data Breach - TechCrunchhttps://longbridge.com/en/news/275944118Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it embeds security directly into the cloud fabric, potentially limiting unauthorized lateral movement and data exfiltration. By enforcing identity-aware segmentation and controlled egress, it could have reduced the attacker's ability to escalate privileges and access sensitive data.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix CNSF may not prevent credential theft via social engineering, it could limit the subsequent unauthorized access within the cloud environment.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could likely constrain the attacker's ability to escalate privileges by enforcing least-privilege access controls.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could likely limit lateral movement by restricting unauthorized internal communications.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could likely detect and limit unauthorized command and control activities across cloud platforms.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could likely limit data exfiltration by controlling outbound traffic.
While Aviatrix CNSF may not prevent data leakage once exfiltrated, its controls could likely reduce the scope of data accessible to attackers, thereby limiting potential impact.
Impact at a Glance
Affected Business Functions
- Customer Relationship Management
- Loan Processing
- Customer Support
Estimated downtime: N/A
Estimated loss: N/A
Personal information of approximately 967,200 customers, including full names, email addresses, phone numbers, physical addresses, and dates of birth.
Recommended Actions
Key Takeaways & Next Steps
- • Implement phishing-resistant multi-factor authentication (MFA) methods, such as FIDO2 security keys, to prevent unauthorized access through social engineering attacks.
- • Conduct regular security awareness training for employees to recognize and respond appropriately to social engineering tactics like vishing.
- • Enforce strict access controls and monitor for unauthorized MFA device enrollments to detect and prevent privilege escalation.
- • Utilize Cloud Network Security Framework (CNSF) capabilities, such as Zero Trust Segmentation and East-West Traffic Security, to limit lateral movement within the cloud environment.
- • Implement comprehensive logging and monitoring solutions to detect and respond to unauthorized data access and exfiltration activities promptly.
