Finastra is a leading financial technology firm that serves over 8,000 institutions across the globe, providing software and services to 45 of the world’s top 50 banks. Reporting $1.9 billion in revenue last year, Finastra is a major company with connections to a vast network of organizations. Its operations include the handling and processing of massive volumes of sensitive financial data, including client information and internal documentation.
In early November, Finastra’s Security Operations Center (SOC) detected suspicious activity on one of their file transfer platforms. A threat actor on the dark web also claimed to be in possession of vast amounts of data exfiltrated from the platform, offering up databases full of files for purchase. This incident is part of a growing problem of attacks targeting fintech firms, highlighting a broader need for increased cybersecurity measures across the industry.
Details of the Breach
The timeline of this attack began before any suspicious behavior was detected. The threat actor, abyss0, who posted on the dark web to sell the exfiltrated data, had previously attempted to sell what appears to be the same data on October 31st, though without directly disclosing the specific target organization. The post made by the same user on November 8th listed many of the same client banks and mentioned Finastra by name. This user has also offered stolen databases for sale on the dark web from many other breaches over the last six months.
The compromised Secure File Transfer Platform (SFTP) is an internally-hosted platform that Finastra uses to send large files to external recipients. While it is not used by all Finastra customers, it processes massive volumes of sensitive data related to wire and bank transfers, with files including client data and internal documents. The threat actor claimed that the exfiltrated data in this incident included a variety of files, such as configuration files, database backups, and executable components.
Investigation and Response
In response to their detection of suspicious activity, Finastra immediately isolated the platform from the network to contain the damage and implemented an alternative secure file-sharing platform to maintain continuity of service. The incident response includes investigation into the scope and nature of the data exfiltration, and Finastra is prioritizing finding the source of the compromise. Preliminary findings indicate that the breach likely originated with compromised credentials.
This process also includes collaboration with third-party cybersecurity firm Sygnia to support the investigation into the incident. Finastra is also sharing indicators of compromise and interacting directly with customers’ security teams, committed to accurate and transparent communication regarding the breach.
Impact Assessment
Finastra has communicated that this incident has had no direct impact on customer operations or systems and they believe there was no lateral movement within the network and no access to other data or systems beyond what was exfiltrated. Any files downloaded by clients from the platform are safe, as there is no evidence of malware or tampering with files. Not all customers were impacted, but affected organizations could have significant volumes of sensitive financial data exposed.
Finastra has stated that they are undertaking the time-intensive process of determining which customers are affected by this breach. Organizations whose data was compromised and exfiltrated should be notified by Finastra. “To understand what data has been impacted, organizations need to have the ability to monitor master data and configuration changes on a continuous basis across multiple applications and data pools,” according to Piyush Pandey, CEO at Pathlock, a Denver, Colorado-based identity and access security provider. “A major challenge is that many of these applications and data pools are siloed and don't have a management layer that looks over all of them. Each dataset must be carefully reviewed to determine ownership, sensitivity, and impact.”
Security Measures and Future Prevention
Industry regulations mandate a certain level of diligence in ensuring that the digital products and services offered by the company are secure. Cybersecurity measures like monitoring, threat detection, and incident response plans are in place, as evidenced by the SOC noticing the suspicious behavior on the platform and taking steps to contain, investigate, and remediate the incident. However, these measures were not enough to prevent the breach, and massive amounts of data were exfiltrated before it was detected.
Efforts are currently focused on investigating the attack in order to effectively determine the scope and impact of the breach. The exfiltration arising from compromised credentials points to potential change needed in credential management and access levels. This includes widespread implementation of multi-factor authentication, secure configurations, and segmenting to prevent unauthorized access to network areas. Monitoring and detection are also crucial moving forward, hopefully meaning that comparable incidents in the future are caught earlier.
Broader Implications for the Fintech Industry
An attack of this size on such a major fintech company is indicative of a broad need for more robust cybersecurity measures. The issues that lead to breaches like this are often systemic; organizations must address these problems on a foundational level rather than simply handling critical vulnerabilities as they crop up. In an increasingly complex and sprawling digital landscape, organizations across the globe rely on technology for many aspects of their operations.
Companies that provide financial technology and related services are targeted because they often serve many different organizations, as Finastra does. This means that a successful attack on one such fintech company can grant threat actors access to vast amounts of sensitive financial data from a wide array of organizations. Fintech firms are encouraged to use best practices such as incorporating security by design into software and product development, fortifying user and account authentication and verification features, mitigating human risk by implementing effective SAT, and looking into advanced technologies to fight advanced threats.
Stay Vigilant
This breach of Finastra’s internally hosted SFTP compromised vast volumes of sensitive data, including both customer information and internal documents. The way the data was offered up for purchase on the dark web as part of a longer pattern by the user abyss0 highlights how common attacks like this are and emphasizes the need for an industry-wide push for stronger cybersecurity in fintech.
The scope of the attack is massive, which makes investigation and remediation difficult, especially as many clients use multiple Finastra products across their businesses. Throughout this time-consuming process, Finastra has remained committed to transparency and accuracy in their communications with customers regarding this breach. It is important to take this incident as representative of the importance of cybersecurity vigilance in fintech and use it to inform future cybersecurity decisions.
