Duplicate » admin by request

Revisiting the Finastra Data Breach: What Went Wrong?

  • Tags
Admin By Request blog post on the Finastra data breach

London-based financial technology firm Finastra notified affected customers earlier this year about a data breach that resulted in the exposure of their personal information. 

On February 12th, 2025, Finastra began informing customers whose data had been compromised in a security breach. The same day, they filed official notice with the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR), informing them that 65 Massachusetts residents were among those affected. 

The exposed data included names and account numbers, raising concerns about potential identity theft. Finastra offered affected customers two years of free credit monitoring and identity protection services as part of their incident response. 

A post on a hacker forum claiming to sell the stolen Finastra data disappeared almost immediately after appearing. Security experts suggest this timing indicates Finastra may have negotiated with the attacker to have the data listing removed from the underground forum. 

In their notification letter, the company stated: “Finastra has no indication the unauthorized third party further copied, retained, or shared any of the data. We have no reason to suspect your information has or will be misused. As a result, we believe the risk to individuals whose personal data was involved is low.” 

They also emphasized the limited scope of the breach: ” As part of our investigation, Finastra and third-party experts have conducted a thorough review of the data involved in this incident and have determined that the impacted data contained certain personal information related to a small, select number of Finastra customers. Importantly, we have notified all affected customers directly to provide resources and comply with all relevant notification obligations.” 

The cyber-attack occurred in November 2024, when an anonymous threat actor gained unauthorized access into Finastra’s IT networks, allegedly stealing customer personal information. At the time, the organization acknowledged the security breach, announcing the cybercriminal compromised its internal file-transfer application used by a portion of its clients, but declined to share information on the magnitude of the intrusion, citing an ongoing probe. 

Cause of Finastra Data Breach 

Finastra’s filing with OCABR provides insights into what caused the intrusion of their systems. On November 7th, 2024, the company observed an anomaly in their IT system after sections of its computer network were disrupted. 

“On November 7, 2024 Finastra’s Security Operations Center (SOC) detected suspicious activity related to an internally hosted Secure File Transfer Platform (SFTP) we use to send files to certain customers,” stated Finastra. 

In response, the company alerted relevant authorities and began collaborating with security teams to investigate the data breach. Through their inquiry, Finastra discovered that between October 31st and November 8th, 2024, a malicious actor had obtained unauthorized access to its Secure File Transfer Platform. The organization uses SFTP to offer technical support to clients. Investigators confirmed the attacker obtained several critical files from the SFTP server, containing sensitive, confidential customer information. 

“We immediately launched an investigation alongside a third-party cybersecurity firm and, as a precautionary step, isolated and contained the platform,” Finastra added. 

Although the company revealed limited details regarding the attack in their filing with Massachusetts OCABR, the data breach is believed to be related to a post made on the underground forum BreachForums (since deleted) by a cybercriminal named “abyss0” who claimed to be selling 400 gigabytes of data stolen from Finastra’s IT system.

Finastra was forced to take portions of their IT system offline to contain the incident, causing significant service disruptions. Security reports linked the attack to inadequate vulnerability management, noting that Finastra was using outdated Pulse Secure VPN and Citrix server versions. 

This is not the first time Finastra has been targeted by cybercriminals. In March 2020, the company suffered a significant ransomware attack that forced them to take servers offline during the early days of the COVID-19 pandemic. That incident disrupted financial wire transfers, temporarily stranding tens of millions of dollars in transactions and affecting customers worldwide. Then-CEO Simon Paris noted that the 2020 attack appeared timed to coincide with Finastra’s efforts to transition their global workforce to remote work due to COVID-19. 

Data breach

Understanding Finastra Data Breach: A Detailed Breakdown 

The Finastra security breach represents a significant cybersecurity incident targeting the financial technology sector. Here’s a step-by-step analysis of how the attack unfolded: 

Step #1: Initial Compromise 

  • Threat actors obtained unauthorized access to the company’s Secure File Transfer Platform (SFTP). 
  • While the exact attack vector hasn’t been confirmed, the attackers likely used one of these methods:  
    • Credential compromise: Attackers may have deployed phishing schemes or used malware to harvest login credentials. Once obtained, these user credentials would have given them unauthorized access to Finastra’s SFTP server. 
    • Exploitation of vulnerabilities: The attackers might have exploited outdated applications or unpatched security flaws within the SFTP system, allowing them to gain entry without admin credentials. 
    • Insider threats: Actions by a disgruntled employee or malicious insider with elevated permissions could have facilitated the intrusion. 

Step #2: Establishment of Foothold 

  • Upon infiltrating Finastra’s networks, the attackers likely used existing admin accounts to maintain persistent access. 
  • They likely escalated their privileges, giving them the ability to access critical files stored on the SFTP system. 

Step #3: Data Identification and Exfiltration 

  • The threat actors methodically searched for valuable, sensitive financial information stored on Finastra’s SFTP systems. 
  • They used automated scripts to identify valuable data and began transferring it out of the network. 
  • Between October 31st and November 8th, 2024, they extracted approximately 400 gigabytes of data (based on claims in the darkweb post by “abyss0”). 
  • Since Finastra used the SFTP system to support client transactions, the stolen data likely contained customers’ personal information, financial records, private communications, and possibly contracts. 

Step #4: Concealing Tracks 

  • To avoid detection, the attackers likely erased logs or modified timestamps. 
  • They may have used sophisticated malware to disguise the data exfiltration traffic as normal network operations, avoiding immediate detection. 

Step #5: Data Breach Detection and Response 

  • Finastra’s SOC noticed unusual activity on their SFTP system on November 7th, 2024. 
  • Security teams, including third-party vendors, confirmed that unauthorized access had occurred. 
  • The cybersecurity team implemented containment measures: revoking compromised credentials, strengthening security checks on critical systems, and notifying affected customers about potential data exposure. 

Step #6: Incident Aftermath 

  • Investigations confirmed that the attack targeted only the company’s SFTP system, with no evidence of malware spreading to other parts of the network. 
  • Finastra faced reputational damage and regulatory scrutiny following the breach. 
  • The security incident highlighted the need for robust access controls, real-time threat detection, and endpoint privilege management (EPM) solutions. 

Technical Security Flaws 

Finastra’s cybersecurity incident exposes common exploitation of security weaknesses in file transfer systems. The attack likely began with compromised credentials, indicating weak authentication controls. This suggests many businesses are still relying on standard username/password combinations to access their SFTP servers. This authentication method is vulnerable to various tactics, such as phishing campaigns, social engineering, or credential theft. 

The data breach also revealed inadequate access controls for SFTP-stored data. Cybersecurity blog KrebsOnSecurity reported that Finastra compiled a list of numerous clients whose information was compromised during the incident. This suggests that a single set of compromised credentials provided access to directories containing data for multiple clients, leading to increased risk. Modern security practices restrict access to sensitive information on a strict need-to-know basis and automatically terminate access after the allotted time period expires, reducing system exposure to malicious activities. 

The fact that attackers could exfiltrate valuable information through the SFTP system points to gaps in data loss prevention. These attacks can be prevented by implementing Managed File Transfer (MFT) solutions with robust logging and immediate alerts to notify security teams about suspicious data transfer patterns. Finastra’s incident shows that the attacker accessed and stole hundreds of gigabytes of files, suggesting these security controls were either inadequate or missing. In a properly configured security monitoring system, transfers of such large volumes of information would trigger immediate alerts and response. 

Hardened Security Controls for File Transfer Systems 

Fortified security for data movement and MFT systems requires a comprehensive approach beyond basic authentication. Strong data encryption must use industry-standard protocols to protect sensitive information both in storage and in transit. The least privilege principle should be incorporated into access controls to limit users (admins) to only temporary, brief access periods. Organizations may implement Endpoint Privilege Management (EPM) solutions to control access to critical data infrastructure. 

Cybersecurity

How Admin By Request Endpoint Privilege Management (EPM) Could Have Helped 

Admin By Request has developed an endpoint privilege management solution to enforce least privilege policies, ensuring users have only the minimum necessary permissions to perform their duties. By reducing unnecessary admin rights, companies can significantly minimize the attack surface available to unauthorized users. 

Key features of Admin By Request EPM

  • Application control: Admin By Request monitors software deployment/installation attempts and allows execution of only approved applications with elevated privileges. This proactive approach blocks installation of malicious or unauthorized software that could compromise system security. 
  • On-Demand Elevation: Admin By Request requires users/administrators to request elevated rights for specific tasks, granted temporarily and fully audited. This ensures admin privileges aren’t permanently allocated, minimizing potential misuse. 
  • Comprehensive auditing: Every elevation request and admin action is logged to provide a transparent trail that can be monitored and analyzed by security teams. 
  • Integration features: Admin By Request integrates with system components like SIEM tools, Active Directory, and other management platforms, facilitating streamlined implementation. 

Admin By Request EPM as a Preventative Solution 

Implementing Admin By Request’s EPM product into Finastra’s IT architecture could have addressed several security vulnerabilities exploited during the data breach: 

  • Enforcing controlled access to sensitive systems: By applying strict least privilege policies, only authorized users would be permitted to access critical platforms like the SFTP server. Additionally, requiring temporary elevation for specific activities would reduce credential abuse risk. 
  • Preventing unauthorized software execution: Admin By Request’s application control capabilities would prevent deployment of unauthenticated applications, including malware used to exfiltrate sensitive data. 
  • Enhancing surveillance and response: The solution’s comprehensive auditing would provide real-time insights into administrative activities, enabling faster detection and response to suspicious behavior. 
  • Reducing insider threats: Limiting administrative privileges minimizes potential damage from disgruntled employees or malicious insiders with elevated permissions. 

By integrating Admin By Request EPM into their security architecture, Finastra could have strengthened defenses against the types of attacks that led to this data breach, potentially preventing unauthorized access to their critical file transfer infrastructure and protecting sensitive customer data. 

Takeaway 

The Finastra cyber-attack serves as a warning about persistent security threats targeting financial technology companies. As threat actors employ more sophisticated tactics, businesses must strengthen their IT systems with modern data protection solutions. Deploying endpoint privilege management technologies is a practical step toward achieving robust cybersecurity. Beyond protecting organizations against external threats, these security measures address internal vulnerabilities and help create resilient security environments.

About the Author:

Picture of Pocholo Legaspi

Pocholo Legaspi

Share this blog to your channels:

Get the Free Plan

All core features, unlimited term, no strings attached.

Sign Up

Product

Resources

Company

Support

Linkedin Facebook Twitter Reddit Instagram Youtube

© 2024 ADMIN BY REQUEST

Data Processing | Terms & Conditions | Privacy Policy

Get the Admin By Request Free Plan

Fill out the form with your work email and we’ll send your credentials to your inbox.

Book a Demo

Orange admin by request circle tick logo. » admin by request