Finastra, a financial technology firm, is investigating an alleged data breach. According to a notice distributed by the organization, Finastra’s Security Operations Center (SOC) discovered activity on an internal file transfer platform on November 7th, prompting incident response protocols. On November 8th, a malicious actor on the dark web claimed to exfiltrated data from this platform, causing Finastra to investigate. 

Finastra has stated that customer operations, systems and services have not been impacted by this incident. Currently, Finastra is in the process of determining which customers may have been affected by the breach. Below, security leaders are sharing their thoughts on the incident. 

Security leaders weigh in

Trey Ford, Chief Information Security Officer at Bugcrowd:

The first challenge in incident response is drawing the sandbox of what’s in scope, how systems and information were accessed, and what was taken. The process of inventory and impact — companies will retain outside counsel who will pull in a DFIR (data forensics/incident response) partner to drive the investigation, and will use specialized firms to inventory the data (intellectual property vs. privacy impacted data, etc.) to understand which customers, and which users were impacted. From there, the analysis is done to understand where the parties are based, and what privacy laws are impacted by the compromised data.

These investigations can take weeks to months, depending on a wide variety of variables. “Right of Boom” — the actions and responses taken after the incident happens, the first priority is recovering positive control of the environment, and preventing re-compromise or further loss of control. The scope of impact often expands during that analysis. Concurrently, impacted data will be inventoried, and the notification clock starts — timelines to notifying impacted parties and data supervisory authorities or regulators.

Mr. Piyush Pandey, CEO at Pathlock:

Analyzing stolen data from breaches like this is a complex and time-intensive process, particularly when dealing with a diverse customer base. To understand what data has been impacted, organizations need to have the ability to monitor master data and configuration changes on a continuous basis across multiple applications and data pools. A major challenge is that many of these applications and data pools are siloed and don't have a management layer that looks over all of them. Each dataset must be carefully reviewed to determine ownership, sensitivity, and impact.

• Large volumes of data (400GB) require extensive forensic review to identify contents and affected customers.
• Diverse customer and product lines complicate mapping data to specific entities.
• Limited monitoring or incomplete logs can hinder root cause and impact analysis.

Data breaches involving sensitive financial data can have far-reaching implications, even for a privately held company like Finastra. One critical area of concern is the impact on cyber insurance, as breaches often lead to increased scrutiny from insurers, and may result in the significant rise of insurance premiums. The Reputational damage may be difficult to quantify but is an inherent impact of any data breach. 

• Cyber insurance premiums may rise significantly after a breach.
• Insurers might question coverage if security gaps, like insufficient privileged account monitoring, are identified.
• Compliance with data privacy laws (e.g., GDPR, CCPA) could also influence future policy terms and costs.

Jason Soroko, Senior Fellow at Sectigo:

Analyzing stolen data in breaches like this is challenging because the volume and diversity of information across multiple company divisions or back office silos. It is difficult to map stolen files to specific customers and assessing the sensitivity of each piece of information. Sifting through logs and knowing what the adversary exfiltrated could take a long time. This process is complicated by varying data formats and storage locations, making it difficult to quickly determine the full impact.

Elad Luz, Head of Research at Oasis Security:

According to Finastra’s notice, the threat actor gained access to sensitive files through a vulnerable Secure File Transfer Protocol (SFTP) server. SFTP is a widely used protocol for securely accessing files remotely through encryption, with several popular software solutions supporting it.

One such solution, MOVEit by Progress Software, had a critical vulnerability that was publicly disclosed just a few months ago. MOVEit is also PCI-DSS compliant, which is required for financial institutions, making it likely that this was the software in use. Interestingly, although the vulnerability was discovered months ago, NIST has updated its severity rating.