A data breach at Finastra last year compromised some of the customers’ personal information, the core banking software provider told its clients in a recent letter.
Finastra, which says it serves more than 8,000 financial institutions, had previously acknowledged a data security incident that occurred at the end of October and the start of November. Initially, the breach appeared to relate to software development files, but the company’s letter clarified that financial account information was included.The breached data did not include Social Security numbers, driver’s licenses or card numbers, according to
So far, it is unclear how many people in total were affected by the data breach. According to the Massachusetts attorney general, which published a version of the letter sent to victims, the breach affected 65 people in the state.
Finastra’s data breach notification is dated Feb. 12, which is 97 days after Nov. 8, the day Finastra said it identified the incident.
Some states specify the number of days a company has to report a data breach to individual victims, starting when the company first discovers the breach. Often, companies have 30 or 45 days, but exceptions are made in cases where law enforcement has requested the company not report the information publicly, as this can reduce the risk of an attacker covering their tracks.
Massachusetts requires companies to report data breaches only within “a reasonable amount of time,” without a specific number of days. Finastra also said in its letter to victims that it “immediately” reported the incident to law enforcement, including the FBI, and is “working closely” with the agencies.
On Nov. 13, the company sent a letter to institutional customers, published by cybersecurity reporter Brian Krebs, first informing them that an incident had occurred.
“Importantly, we have been sharing new information with all of our stakeholders as it becomes available,” the company told American Banker in November. “The Finastra team has been actively and transparently responding to our customers’ questions and keeping them informed about what we do and do not yet know about the data that was posted.”
In the November letter, Finastra mentioned IBM software Aspera, which is a file transfer product. Finastra also said that an unauthorized party accessed a file transfer platform at various times between Oct. 31 and Nov. 8 using compromised credentials.
Also on Oct. 31, a threat actor with the username abyss0 made a post on BreachForums, a website for cybercriminals to share and sell stolen data, offering to sell IBM Aspera access to an “unidentified financial software company” for $20,000, with 10 TBs of data, according to
On Nov. 8, abyss0 posted on BreachForums again, this time selling 400 GB of data stolen they said they stole from Finastra, including files with .dmp, .bak, .war, .jar, and .iso file extensions, as well as documentation. These types of files are largely associated with software development rather than data storage, suggesting at the time the breach might not have affected consumer data.
All posts by abyss0, who had posted about many other data breaches, have been removed from the forum, though it is unclear why. Finastra did not say whether it had paid an extortion payment.
According to an analysis by cybersecurity journalist Brian Krebs, the Telegram account that abyss0 listed in their sales was suspended or deleted around the same time their BreachForums account disappeared.
“It seems improbable that both Telegram and BreachForums would have given this user the boot at the same time,” Krebs wrote. “The simplest explanation is that something spooked abyss0 enough for them to abandon a number of pending sales opportunities, in addition to a well-manicured cybercrime persona.”