Finastra confirms customer data breach from file transfer application

London-based FinTech giant Finastra has started notifying individuals whose sensitive personal data was compromised in a data security incident that took place last year.

 

The fintech giant told customers in a data security incident notice that on November 7, it identified suspicious activity on an internally-hosted file transfer platform. The company immediately launched an investigation, with assistance from cyber security company Sygnia, to determine the nature and scope of the incident.

 

“Files downloaded from Aspera are safe. The threat actor did not deploy malware or tamper with any customer files within the environment,” Finastra said. “Furthermore, no files other than the exfiltrated files were viewed or accessed. We remain focused on determining the scope and nature of the data contained within the exfiltrated files.”

 

Finastra added that it isolated the affected system and its preliminary investigation indicated that certain credentials were accessed by the threat actor. 

 

Recently, the company started notifying affected individuals whose sensitive personal data was compromised during the incident.

 

“Our investigation revealed that an unauthorised third party accessed a Secure File Transfer Platform (SFTP) at various times between October 31, 2024 and November 8, 2024. Findings from the investigation indicate that on October 31, 2024, the unauthorised third party obtained certain files from the SFTP,” reads the data security incident notice.

 

While Finastra did not share the number of affected individuals or the nature of the compromised data, the company said in a filing with the Attorney General of Massachusetts that it identified at least 65 people in the state whose financial account information was compromised during the incident.

 

The FinTech giant found no evidence of the compromised information being misused, but has advised affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and the state attorney general. It has also offered two years of complimentary identity protection and credit monitoring services through Experian to all affected individuals.