Fintech Giant Finastra Investigating Data Breach – Krebs on Security

Fintech company best The company is investigating an alleged large-scale theft of information from its internal file transfer platform, KrebsOnSecurity has learned. Finastra, which provides software and services to 45 of the world’s top 50 banks, informed customers of the security incident after a cybercriminal began selling more than 400 gigabytes of data allegedly stolen from the company.

London-based Finastra has offices in 42 countries and had revenue of $1.9 billion last year. The company has more than 7,000 employees and serves approximately 8,100 financial institutions worldwide. A major part of Finastra’s day-to-day business involves processing large amounts of digital files containing wire and bank transfer instructions on behalf of clients.

On November 8, 2024, Finastra notified financial institution customers that its security team detected suspicious activity on November 7 on Finastra’s internally hosted file transfer platform. Finastra also told customers that someone had begun selling a large number of files that were allegedly stolen from their systems.

“On November 8, a threat actor communicated on the dark web claiming to have exfiltrated data from the platform,” wrote Finastra’s revelationsa copy shared by a source at one of the client companies.

“This has no direct impact on customer operations, our customers’ systems, or Finastra’s current ability to serve customers,” the notice continued. “We have implemented an alternative secure file sharing platform to ensure continuity and an investigation is ongoing.”

But its notification to customers did indicate that the intruders successfully extracted or “infiltrated” an unknown amount of customer data.

“The threat actor did not deploy malware or tamper with any customer files in the environment,” the notification reads. “Additionally, no files other than the leaked files were viewed or accessed. We remain focused on identifying the compromised files. the scope and nature of the information contained in it.

In a written statement in response to questions about the incident, Finastra said it has been “proactively and transparently answering customer questions and letting them know what we are doing and what they don’t know yet about the data being released.” The company also reassured customers shared the latest communication, which said that while the root cause is still being investigated, “preliminary evidence indicates that credentials have been compromised.”

“In addition, we have been sharing indicators of compromise (IOCs) and our CISO has been speaking directly with customers’ security teams to provide updates on the investigation and our eDiscovery process,” the statement continued. Here’s the rest of what they shared:

“On the eDiscovery front, we are analyzing data to determine which specific customers are affected, while also assessing and communicating which of our products do not rely on the specific version of the compromised SFTP platform. The affected SFTP platform is not used by all customers, nor is it The default platform used by Finastra or its customers to exchange profiles related to a range of our products, so we are working to exclude affected customers as quickly as possible. However, as you can imagine, this is a time-consuming process. We have many large clients using different Finastra products in different parts of their business. We prioritize communication accuracy and transparency.

Importantly, for any customers who are believed to be affected, we will contact and work with them directly.

On November 8, a man nicknamed “Abyss 0” Posted in English Internet Crime Community Violation Forum They stole documents from some of Finastra’s largest banking clients. The data auction did not specify a starting price or a “buy it now” price, but said interested buyers should contact them via Telegram.

abyss0’s November 7 sales post on BreachForums included a number of screenshots showing file directory listings for various Finastra customers. Image: ke-la.com.

According to screenshots collected by the Internet Intelligence Platform KeLa.comabyss0 made its first attempt to sell data allegedly stolen from Finastra on October 31, but previous sales leads did not name the victim company. However, it did mention a number of banks named as Finastra customers in the Nov. 8 BreachForums post.

Originally an October 31st post from abyss0, in which they advertised the sale of data from several large banks that were customers of a large financial software company. Image: ke-la.com.

The October leads also include a starting price: $20,000. By November 3, the price had dropped to $10,000. A review of abyss0’s post on BreachForums revealed that the user offered to sell repositories that had been stolen in dozens of other breaches publicized over the past six months.

The apparent timeline of the breach suggests abyss0 gained access to Finastra’s file-sharing system at least a week before the company said it first detected suspicious activity, and the November 7 activity cited by Finastra may have been the intruders’ return to Steal more information.

Maybe abyss0 found a buyer to pay for their early retirement. We may never know because the man has effectively disappeared. The Telegram account listed by abyss0 in its sales thread appears to have been suspended or deleted. Likewise, abyss0’s account on BreachForums no longer exists and all of his leads have disappeared.

It seems unlikely that both Telegram and BreachForums launched this user at the same time. The simplest explanation is that, aside from a well-crafted cybercriminal persona, something shocking is enough to make them pass up some pending sales opportunities.

March 2020, Finastra Suffering a ransomware attack This resulted in some of the company’s core operations being put on hold for days. according to Bloomberg reportsFinastra was able to recover from the incident without having to pay a ransom.

This is a development story. Updates will be timestamped. If you have any additional information about this incident, please contact krebsonsecurity@gmail.com or protonmail.com.