Incident & Breach Response , Security Operations
Fintech Finastra Confirms Data Theft; Investigation Underway
Company Probing Customers Affected After Attacker Claims 400 Gigabyte Data TheftOne of the largest financial software firms in the world warned customers that an attacker stole an unknown quantity of data after a hacker on a criminal forum offered for sale data purportedly filched from the company.
See Also: Top Reasons Why Legacy Data Protection Fails and What to do About It
Privately held and London-based Finastra stated more than 8,000 financial services firms across 130 countries as customers and disclosed 2023 revenues of $1.9 billion. The company offers a payments platform through which financial services firms can manage cash and fund transfers.
The company said its security operations center on Nov. 7 detected unusual activity tied to an internally hosted secure file transfer platform, SFTP, it uses to send files to customers. "We immediately launched an investigation alongside a third-party cybersecurity firm and, as a precautionary step, isolated and contained the platform," Finastra told Information Security Media Group in a written statement. "This incident was limited to the one platform, and there was no lateral movement beyond it."
The company said it notified customers about the breach on Nov. 8 and continues to update them, as well as employees and regulators, with the results of a still active probe.
The intrusion may have begun more than a week before being detected.
Citing screenshots gathered by threat intelligence firm Kela, cybersecurity journalist Brian Krebs, who first reported on the breach, said a user of Breach Forums - with the handle "abyss0" - on Oct. 31 first offered data stolen from "one of, if not the biggest, financial software solutions company" for sale for $20,000, without naming the victim company. On Nov. 7, abyss0 reduced the price to $10,000, named Finastra as the victim and claimed to be selling 400 gigabytes of stolen data.
Subsequently, abyss0 closed both their Breach Forums account as well as the Telegram account previously listed in their profile, as Krebs reported. Why they disappeared isn't clear.
Finastra said it's engaged in a laborious process to correlate stolen data with affected customers.
"The impacted SFTP platform is not used by all customers and is not the default platform used by Finastra or its customers to exchange data files associated with a broad suite of our products. So we are working as quickly as possible to rule out affected customers," the company said. "This is a time-intensive process because we have many large customers that leverage different Finastra products in different parts of their business. We are prioritizing accuracy and transparency in our communications."
Already, the company suspects stolen credentials were used in the attack. "We are continuing to investigate the root cause, but initial evidence points to credentials that were compromised," Finastra said. "The source of the compromise is a priority aspect of the investigation."
The company didn't immediately respond to a request for comment about whether it safeguards SFTP access by requiring customers to use multifactor authentication rather than just a username and password.
Multiple major breaches continue to trace attackers harvesting static credentials via information-stealing malware and using them to access accounts and services. One defense against such attacks has long been to require customers to use multifactor authentication for accessing their account, although not all service providers offer this, make it easy or even mandatory (see: After Customers Get Breached, Snowflake Refines Security).
This isn't the first breach Finastra has suffered. In 2020, the company took multiple systems offline after getting hit by ransomware to contain the intrusion while it restored systems (see: Fintech Firm Finastra Recovering From Ransomware Attack).