Finastra data breach: Lessons for financial sector cybersecurity

In November 2024, Finastra, a leading financial technology provider serving 90% of the world's top 50 banks, experienced a significant data breach that compromised sensitive customer information and exposed critical gaps in security governance. This breach aligns with broader industry trends showing the financial sector as a top target for cyberattacks. In 2024, the average global cost of a data breach had risen to $4.88 million, and for financial enterprises, the impact is even more pronounced, with average breach costs escalating to $6.08 million—22% higher than the global average. IBM also reports that large-scale breaches involving 50 million records or more can incur costs of up to $375 million, underscoring the severe financial implications of such incidents. This emphasizes the need for financial enterprises to enhance their cybersecurity frameworks. Implementing proactive measures, such as advanced threat detection, comprehensive employee training, robust incident response strategies, and strengthening credential management, is essential to mitigate the growing risks and associated costs of data breaches in the financial industry.

Overview of the Finastra data breach

Between October 31 and November 8, 2024, an unauthorized entity gained access to Finastra’s systems through a compromised SFTP. With the data alleged stolen on October 31 and listed for sale at $20,000, the threat actor later reduced the amount to $10,000 on November 3, 2024. While Finastra detected suspicious activity on its internal SFTP on November 7, 2024, the breach was first discovered and reported by cybersecurity journalist, Brian Krebs, when he became aware of Finastra's data being sold.

On November 8, 2024, a threat actor going by the name "abyss0" posted on the dark web forum, BreachForums, claiming that they had stolen 400GB of Finastra's data and had leveraged IBM Aspera to exfiltrate this data as shown in Figure 1. The stolen data allegedly includes configuration files, database snapshots, names, and financial details of certain customers. On the same day, Finastra disclosed the news of the breach to certain customers as shown in Figure 2. Finastra stated that apart from launching an internal investigation, it had also engaged the services of a cybersecurity firm to identify the root cause of the incident.

Image source: HackManac

Figure 1: Finastra data breach exposed by abyss0

Image source: KrebsOnSecurity

Figure 2: Data breach notice issued to customers by Finastra

Finastra explained that the compromised SFTP was not its primary file-sharing tool but was used to support specific technical engagements with some customers. The organization also clarified that evidence indicates that the breach came about due to compromised credentials and that no malware was deployed, and no additional files or data were accessed or viewed. However, Finastra seems to have delayed reporting the breach to all its customers, as news reports states that some of the affected individuals were informed only on February 12, 2025. While the total number of affected party hasn't been disclosed by Finastra, as many as 65 Massachusetts residents were affected by the breach, and Finastra offered two years of identity protection for the affected individuals as shown here.

How can financial enterprises prevent and detect a breach like Finastra's?

To prevent and detect breaches like the one experienced by Finastra, financial enterprises need to implement a multi-layered cybersecurity strategy that combines proactive defense, threat intelligence, and responsive governance. Here are some key strategies:

1. Strengthen identity and access management

Why it matters: The Finastra breach was triggered by compromised credentials. Weak or reused passwords are a common entry point for attackers. Financial enterprises can prevent most threats against them by ensuring proper credential hygiene and access controls.

Best practices:

• Enforce MFA across all systems, especially the ones that are external-facing.
• Implement the principles of least privilege to ensure users only access systems and resources they need.
• Rotate credentials regularly and retire unused accounts.
• Use passwordless authentication like biometrics or hardware tokens for critical systems.

2. Monitor the dark web

Why it matters: The threat actor, abyss0, advertised access for stolen data on BreachForums days before the breach was detected by Finastra. Monitoring the dark web can surface early warning signs that can help financial institutions improve their mean time to detect and respond to security incidents.

Best practices:

• Deploy dark web monitoring tools to track mentions of your company, IPs, or credentials.
• Integrate threat intelligence feeds to identify known malicious IPs and map emerging tactics used by attackers.
• Use automated alerts tied to threat actor activities such as access-for-sale and data leaks.

3. Proactively assess all risks: Internal and third-party vendor risks

Why it matters: In the Finastra breach, attackers exploited an SFTP server which while internally managed, operated outside core security governance. This blind spot, caused by siloed credentials and weak oversight, enabled access via compromised credentials. This incident highlights that third-party risk isn’t limited to external vendors; any system outside centralized controls poses similar threats and must be treated with equal scrutiny.

Best practices:

• Implement UEBA-integrated SIEM solutions to detect abnormal user and entity behavior.
• Maintain an up-to-date third-party inventory.
• Monitor and block shadow IT use.
• Continuously assess vendor security posture, and not just during annual audits.
• Ensure vendors adhere to your security policies, including incident response and MFA enforcement.
• Implement Zero Trust Architecture to limit how third-party tools connect to core systems.

4. Deploy advanced threat detection and response capabilities

Why it matters: Although Finastra eventually isolated the breach, earlier detection could have prevented data exfiltration. How much damage an attacker manages to inflict often depends on how quickly the threat is detected. The sooner a breach is detected, the sooner it can be contained, minimizing its impact.

Best practices:

• Implement SIEM and XDR solutions that correlate activity across endpoints, the cloud, and networks.
• Monitor for signs such as unusual file transfers, abnormal login attempts, and access from uncommon geographical locations or IPs.
• Conduct continuous security logging and behavioral analytics on high-value assets.

5. Red teaming and tabletop exercises

Why it matters: Simulating real-world attacks reveals weaknesses in detection, escalation, and containment. Tabletop exercises like cyberwar gaming can help financial enterprises test and improve their security posture and preparedness against cyberattacks. It can also help increase cyber resilience of enterprises. Download this instructographic to learn more: Steps to conduct an effective cyberwar game for a CISO.

Best practices:

• Run red team vs. blue team exercises focused on credential compromise and lateral movement.
• Conduct tabletop exercises simulating supply chain or third-party breaches.
• Regularly update incident response playbooks and escalation paths based on lessons learned.

6. Establish a transparent breach communication plan

Why it matters: Delayed communication, as seen in the Finastra case, can lead to loss of customer trust and regulatory scrutiny. In many cases, an organization’s response to a breach has a greater effect on its overall impact than the breach itself, especially when data isn’t lost. So, it's crucial for organizations to be timely and transparent while notifying the concerned stakeholders of the breach.

Best practices:

• Predraft templates for regulatory reporting, customer notifications, and press releases.
• Define clear ownership for breach disclosure decisions at all levels of management.
• Use crisis simulation tools to test communication workflows.

7. Security awareness training

Why it matters: Human error or negligence is still one of the biggest security risks. Employees and contractors must recognize signs of phishing, social engineering, and data misuse.

Best practices:

• Conduct regular phishing simulations.
• Provide tailored training by role (for example, finance, developers, IT support) and educate them about cybersecurity best practices.
• Include real-world case studies to make the training more relevant.

By investing in these areas, financial institutions can significantly reduce the risk of suffering a breach like Finastra’s and respond effectively if one occurs.

Related solutions