Finastra has confirmed it warned customers of a cybersecurity incident after a threat actor began selling allegedly stolen data on a hacking forum.
Finastra is a financial software company serving over 8,000 institutions across 130 countries, including 45 of the world’s top 50 banks and credit unions. The company employs 12,000 people, and last year, it reported a revenue of $1.7 billion.
The security incident occurred on November 7, 2024, when an attacker used compromised credentials to access one of Finastra’s Secure File Transfer Platform (SFTP) systems.
The firm says that its investigation so far, which is aided by external cybersecurity experts, shows no evidence that the breach extended beyond its SFTP platform.
The firm’s software services include lending solutions, payment processing, cloud-enabled retail and banking platforms, and trading risk management tools.
Brian Krebs first reported that Finastra suffered a security breach yesterday after seeing a data breach notification sent to an impacted person.
The attack is believed to be linked to a recent post on a hacking forum, where a threat actor named “abyss0” claimed to be selling 400GB of data stolen from Finastra.
When asked about the forum post, a Finastra spokesperson would neither confirm nor deny if the data belonged to them, only telling BleepingComputer that they had suffered a limited-scope security breach and are currently evaluating its impact.
“On November 7, 2024 Finastra’s Security Operations Center (SOC) detected suspicious activity related to an internally hosted Secure File Transfer Platform (SFTP) we use to send files to certain customers,” Finastra told BleepingComputer.
“We immediately launched an investigation alongside of a third-party cybersecurity firm and, as a precautionary step, isolated and contained the platform. This incident was limited to the one platform and there was no lateral movement beyond it.”
The company also clarified that the compromised SFTP platform was not used by all its customers, nor was it the default platform used by Finastra for file exchange.
However, the exact impact and scope of its breach are still being investigated, and determining who is impacted may take a while until it’s completed.
Those who are deemed impacted will be contacted directly, so public disclosures from Finastra are not expected.
It’s worth noting that the threat actor who published the data samples earlier this month has since deleted the post, so whether the data was sold to a buyer or ‘abyss0’ became concerned by the sudden publicity is unknown.
In March 2020, Finastra suffered another major cybersecurity incident when it got hit by ransomware actors.
Back then, the fintech company was forced to take parts of its IT infrastructure offline in response to the threat, which caused service disruptions.
Though the means of initial access was unknown, reports from threat monitoring platforms highlighted the firm’s lackluster vulnerability management strategy, noting that it was using older versions of Pulse Secure VPN and Citrix servers.
