Executive Summary
In early 2024, FinWise, a financial services provider, suffered a significant data breach traced to an insider threat that circumvented internal security controls. The attacker exploited inadequate encryption of sensitive data in transit, extracting customer records via lateral movement across poorly segmented network segments. Because traffic was not properly encrypted, packet sniffing allowed the attacker to collect financial and personal data largely undetected for several weeks. The breach led to loss of confidential information, potential regulatory scrutiny, and reputational harm for FinWise.
This incident highlights a rising wave of insider threats exploiting deficiencies in east-west traffic security and underscores the importance of robust, end-to-end encryption as regulatory bodies tighten requirements for securing data in transit and at rest across hybrid and multi-cloud environments.
Why This Matters Now
As organizations face increasingly sophisticated insider threats, relying solely on perimeter defenses is no longer sufficient. This breach underscores the urgency for end-to-end encryption, zero trust segmentation, and continuous traffic monitoring, as both attackers and regulators focus on internal controls and data protection standards.
Attack Path Analysis
The attacker initially compromised FinWise's cloud environment, likely via weak credentials or insider access. They escalated privileges to access sensitive data stores, then moved laterally across internal services and cloud regions to expand their reach. Command and control mechanisms were established to maintain persistence and coordinate actions. Sensitive data was exfiltrated through unmonitored or insufficiently protected egress channels. Ultimately, the breach resulted in large-scale unauthorized data exposure, emphasizing the importance of robust traffic encryption as the final defense.
Kill Chain Progression
Initial Compromise
Description
The attacker gained entry into the FinWise cloud environment, potentially through credential compromise or insider threat.
MITRE ATT&CK® Techniques
Valid Accounts
Credentials in Files
Event Triggered Execution
Brute Force
Unsecured Credentials
Data from Cloud Storage Object
Exfiltration Over C2 Channel
Data Encrypted for Impact
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Rendering PAN unreadable anywhere it is stored
Control ID: 3.5.1
NYDFS 23 NYCRR 500 – Encryption of Nonpublic Information
Control ID: 500.15
DORA (EU Digital Operational Resilience Act) – Protection and Prevention
Control ID: Article 9(2)
CISA Zero Trust Maturity Model 2.0 – Encrypt Data at Rest and in Transit
Control ID: Data Pillar - Protect
NIS2 Directive – Access Control and Asset Management
Control ID: Article 21(2)(d)
GLBA (Gramm-Leach-Bliley Act) – Protecting Customer Information
Control ID: 16 CFR Part 314.4(c)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
FinWise breach demonstrates critical vulnerability to insider threats requiring encryption, zero trust segmentation, and comprehensive data protection for sensitive financial information.
Banking/Mortgage
Data breach incident highlights need for east-west traffic security, threat detection capabilities, and encrypted communications to protect customer financial data.
Health Care / Life Sciences
Insider threat vulnerabilities require HIPAA-compliant encryption solutions, anomaly detection systems, and secure multicloud visibility for protected health information.
Information Technology/IT
Security fabric and cloud-native enforcement capabilities essential for preventing data exfiltration and implementing zero trust architecture across hybrid environments.
Sources
- FinWise data breach shows why encryption is your last defensehttps://www.bleepingcomputer.com/news/security/finwise-data-breach-shows-why-encryption-is-your-last-defense/Verified
- FinWise took a year to disclose a breach affecting 689,000https://www.americanbanker.com/news/finwise-waited-a-year-to-disclose-a-breach-affecting-689-000Verified
- DATA BREACH ALERT: Edelson Lechtzin LLP is Investigating Claims on Behalf of FinWise Bank Customers Whose Data May Have Been Compromisedhttps://www.globenewswire.com/news-release/2025/07/30/3124512/0/en/DATA-BREACH-ALERT-Edelson-Lechtzin-LLP-is-Investigating-Claims-on-Behalf-of-FinWise-Bank-Customers-Whose-Data-May-Have-Been-Compromised.htmlVerified
- Insider breach at FinWise Bank exposes data of 689,000 AFF customershttps://securityaffairs.com/182222/data-breach/insider-breach-at-finwise-bank-exposes-data-of-689000-aff-customers.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Granular network segmentation, strong east-west and egress controls, and pervasive encryption would have limited the attacker's ability to move laterally, exfiltrate data, or cause significant impact. Zero Trust principles, enforced through CNSF-aligned controls, disrupt kill chain progression even in cases of initial compromise.
Control: Multicloud Visibility & Control
Mitigation: Suspicious authentication or access attempts would be rapidly detected and investigated.
Control: Zero Trust Segmentation
Mitigation: Unauthorized privilege escalations are blocked or isolated via strict identity-based segmentation.
Control: East-West Traffic Security
Mitigation: Internal movement is detected and thwarted by restricting uncontrolled east-west communication.
Control: Inline IPS (Suricata)
Mitigation: Malicious C2 channels are detected and blocked in real time.
Control: Egress Security & Policy Enforcement
Mitigation: Unauthorized outbound data transfers are stopped or flagged before reaching external destinations.
Data remained unreadable even if exfiltrated, minimizing breach impact.
Impact at a Glance
Affected Business Functions
- Customer Service
- Loan Processing
- Compliance and Legal
Estimated downtime: 14 days
Estimated loss: $5,000,000
The breach exposed sensitive personal information of approximately 689,000 individuals, including full names, dates of birth, Social Security numbers, and account numbers. This exposure increases the risk of identity theft and financial fraud for the affected individuals.
Recommended Actions
Key Takeaways & Next Steps
- • Implement end-to-end encryption for all sensitive data in transit and at rest to neutralize potential data theft.
- • Enforce strict zero trust segmentation between workloads, identities, and environments to reduce lateral movement risk.
- • Deploy comprehensive east-west and egress filtering with centralized visibility for all traffic flows in multi-cloud and hybrid networks.
- • Integrate inline intrusion prevention and anomaly detection to actively hunt for and respond to covert attacker activity.
- • Regularly audit access policies and privilege assignments, ensuring least privilege is maintained and all sensitive assets are protected by identity-driven controls.
