FinWise Data Breach Exposes 689K American First Finance Customers
▼ Summary
– FinWise Bank suffered a data breach when a former employee accessed sensitive files after their employment ended, as disclosed on behalf of corporate customer American First Finance (AFF).
– The breach impacted approximately 689,000 customers of AFF, a consumer financing company that partners with FinWise to originate and fund loans.
– Exposed data included full names and other personal information, though the complete list was redacted in notifications, and the method of unauthorized access was not disclosed.
– FinWise launched an investigation with cybersecurity experts, strengthened internal controls, and is offering affected individuals 12 months of credit monitoring and identity theft protection.
– The bank is facing multiple class-action lawsuits related to the incident and has cited around 600,000 affected individuals in an SEC filing, aligning with AFF’s reported figures.
A significant data breach at FinWise Bank has compromised the personal information of approximately 689,000 American First Finance customers, following unauthorized access by a former employee. The incident, which occurred after the individual’s employment ended, raises serious concerns about data security protocols and post-employment access controls within financial institutions.
FinWise disclosed the breach in a formal notification issued on behalf of American First Finance (AFF), a consumer financing provider offering installment loans and lease-to-own services. AFF relies on FinWise to originate and fund its loans, making the bank a critical partner in its operations. The unauthorized access took place on May 31, 2024, though the exact method used by the former employee remains undisclosed.
According to a filing with the Maine Attorney General’s office, the breach exposed sensitive customer data, including full names and additional personal information. While FinWize confirmed that files were accessed, it withheld a full list of compromised data elements. In response, the bank initiated an internal investigation with the support of external cybersecurity experts to determine the full extent of the incident.
To mitigate potential harm, FinWise has enhanced its internal security measures and is offering affected individuals 12 months of complimentary credit monitoring and identity theft protection. Despite these efforts, the company faces multiple class-action lawsuits in connection with the breach.
When approached for comment, a FinWise representative declined to discuss the incident due to ongoing litigation but directed attention to a recent SEC filing. The document, dated June 30, 2025, references an impact on roughly 600,000 individuals, a figure consistent with AFF’s disclosure. This event underscores the persistent challenges financial entities face in safeguarding customer data against internal threats.
(Source: Bleeping Computer)
