This week, Finastra, a financial software company that says it serves “45 of the world’s top 50 banks” and has more than 8,100 customers, publicly acknowledged a data breach that affected the files it sends to its institutional customers.
The company said the breach did not cause any operational disruptions for customers and that no malware was deployed to the Finastra network. Rather, the breach affected the secure file transfer platform the company uses to exchange data files associated with many of the company’s products. The files appeared to relate to software development rather than consumer data.
Finastra said it is analyzing the data that was stolen to determine which specific customers were affected. The company is also assessing and sharing with customers which products are and are not dependent on the file transfer platform that was compromised.
Initial evidence suggests that compromised credentials led to the breach, according to the company, though its investigation is ongoing. In
Finastra detected suspicious activity on its file transfer platform on Nov. 7 and immediately isolated and contained the platform, the company said. The next day, a threat actor claimed on data breach forums to have stolen data from Finastra. Also on Nov. 8, Finsatra notified customers about the incident, according to the letter.
“Importantly, we have been sharing new information with all of our stakeholders as it becomes available,” the company told American Banker. “The Finastra team has been actively and transparently responding to our customers’ questions and keeping them informed about what we do and do not yet know about the data that was posted.”
Finastra has shared indicators of compromise, or IOCs, with customers, which can help them confirm whether their systems were directly affected by the attack, according to the company.
The secure file transfer platform that the attacker compromised is not used by all customers and “is not the default platform used by Finastra or its customers to exchange data files,” the company said, “so we are working as quickly as possible to rule out affected customers.”
Note that while the secure file transfer platform shares the SFTP initialism with the Secure File Transfer Protocol, Finastra’s statement and letter to customers did not clarify whether the platform uses the protocol.
A post on cybercrime forum BreachForums dated Nov. 8 by a user named abyss0 advertised the sale of the apparently stolen data, which the user claimed came from IBM Aspera, a file transfer product suite. The user claimed the data included files with .dmp, .bak, .war, .jar, and .iso file extensions, as well as documentation.
These types of files are largely associated with software development rather than data storage, suggesting the breach might not have involved consumer data, which tends to fetch higher sales prices on cybercrime forums when stolen in bulk.
All posts by abyss0, who had posted about many other data breaches, have been removed from the forum, though it is unclear why. Finastra did not say whether it had paid an extortion payment.