Cyber Incident Victim: Finastra
Date:
Oct 2024
Location:
United Kingdom
Summary
A global fintech firm serving major banks experienced a data breach involving unauthorized access to its internal secure file transfer platform via compromised credentials. The attacker exfiltrated approximately 400 gigabytes of compressed data, including sensitive client information and internal documents, before advertising it for sale on cybercrime forums. The compromised system was replaced with a secure alternative, and impacted clients were notified within 24 hours of detection. The company's CISO directly engaged with clients' security teams, sharing indicators of compromise and initiating a detailed analysis to determine the scope of affected data. While the breach did not involve malware or direct tampering with customer systems, the incident raised concerns about data confidentiality. The threat actor ceased public activity shortly after the breach was disclosed, removing their online presence.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On October 31, 2024, a cybercriminal using the alias "abyss0" advertised approximately 400 gigabytes of compressed data for sale on BreachForums, initially pricing it at $20,000 before reducing it to $10,000 by November 3. The listing did not initially name Finastra but referenced major banking clients consistent with the company’s customer base. On November 7, Finastra detected suspicious activity on its internally hosted Secure File Transfer Platform (SFTP), which facilitated critical banking and wire transfer operations for over 8,100 financial institutions worldwide. The following day (November 8), Finastra notified customers of the breach after abyss0 explicitly named the company in a new BreachForums post, claiming theft of files from its largest banking clients and directing potential buyers to contact via Telegram. The attacker exploited stolen credentials—a username and password—to access the SFTP system and used IBM Aspera, a high-speed file transfer tool, to exfiltrate data without deploying malware or altering customer files.
Finastra confirmed the breach compromised client data potentially containing transaction details and financial records, along with internal operational documents, though the full scope remained under investigation. The impacted SFTP platform was not the company’s default file-sharing system and was not used by all customers. In response, Finastra replaced the compromised platform with a secure alternative, notified affected clients within 24 hours of detection, and initiated a detailed analysis of the stolen data to identify specific impacted customers. The company’s Chief Information Security Officer engaged directly with clients’ security teams to share Indicators of Compromise (IOCs) and investigation updates, emphasizing transparency while acknowledging the time-intensive nature of eDiscovery due to the complexity of client product usage. By mid-November, abyss0 had deleted their BreachForums and Telegram accounts, halting all public sales activity without explanation. Finastra reiterated that the breach did not disrupt customer operations or its ability to serve clients, citing its recovery from a 2020 ransomware incident without ransom payment as precedent for its containment approach. The company committed to contacting all affected customers directly once identified through ongoing forensic analysis.