Finastra, a leading financial technology firm, is currently facing the aftermath of an alleged large-scale theft of internal information from its file transfer platform. The company, which serves 45 of the world’s top 50 banks, recently informed its customers about the security incident after a cybercriminal started selling over 400 gigabytes of data that was reportedly stolen from Finastra.
Based in London with offices in 42 countries, Finastra reported revenues of $1.9 billion last year and has a workforce of over 7,000 employees. The company’s operations involve processing vast amounts of digital files containing instructions for wire and bank transfers on behalf of its clients, which makes the security of their internal platforms crucial.
On November 8, 2024, Finastra notified its financial institution customers about suspicious activity detected on its internally hosted file transfer platform on November 7. The company also disclosed that someone had begun selling large volumes of files that were claimed to be taken from its systems.
According to Finastra’s notification to customers, a threat actor communicated on the dark web stating that they had data exfiltrated from the platform. Despite this, Finastra reassured customers that there was no direct impact on their operations, their systems, or the company’s ability to serve its customers at that moment. Finastra implemented an alternative secure file sharing platform to ensure continuity while investigations into the incident were ongoing.
However, the notice to customers suggested that the intruder managed to extract an unspecified volume of customer data from Finastra’s systems. The threat actor did not deploy any malware or tamper with customer files in the environment, and only the exfiltrated files were accessed. Finastra remains focused on determining the scope and nature of the data contained within those files.
In response to inquiries about the incident, Finastra stated that it has been actively and transparently responding to customers’ questions and keeping them informed about the situation. While still investigating the root cause, initial evidence pointed to compromised credentials as a possible entry point for the cybercriminal.
Furthermore, the company shared that they had been communicating with customers’ security teams, providing updates on the investigation and the eDiscovery process. Finastra is analyzing the data to determine the specific customers affected while assessing which products are independent of the compromised platform. They are prioritizing accuracy and transparency in their communications and will be reaching out to affected customers directly.
On November 8, a cybercriminal using the alias “abyss0” posted on the cybercrime community BreachForums that they had stolen files belonging to some of Finastra’s largest banking clients. Screenshots collected by the cyber intelligence platform Ke-la.com indicated that abyss0 had initially attempted to sell the data on October 31, and the sales thread referenced many of the same banks identified as Finastra customers on November 8.
The timeline of events suggested that abyss0 had access to Finastra’s file sharing system before the company detected suspicious activity, indicating a potential return of the intruder on November 7. However, abyss0’s online presence disappeared suddenly, with both their Telegram account and BreachForums account being suspended or deleted.
In the past, Finastra had experienced a ransomware attack in March 2020, which disrupted some of the company’s core operations. Despite this incident, Finastra was able to recover without paying a ransom, as reported by Bloomberg.
This situation is still evolving, and updates will be provided as new information emerges. Anyone with additional details about the incident is encouraged to reach out to krebsonsecurity@gmail.com or at protonmail.com.