FinWise Bank has confirmed a major data breach involving a former employee who accessed sensitive information of American First Finance (AFF) customers, putting nearly 689,000 individuals at risk. The incident highlights the ongoing challenges financial institutions face in safeguarding customer data against both external and insider threats.
According to a filing with the Maine Attorney General’s office, the breach occurred on May 31, 2024, when the ex-employee accessed FinWise data after their employment had ended. This information was later disclosed by FinWise in breach notifications prepared on behalf of American First Finance, a leading provider of installment loans and lease-to-own services for consumers. AFF relies on FinWise Bank to originate and fund its loans, making the breach particularly damaging for its customer base.
The compromised files reportedly included full names and other personal identifiers, although the company has not publicly disclosed the complete scope of the exposed data. The method through which the former employee retained access to internal systems remains unclear, raising questions about access control policies and employee offboarding protocols within the bank’s IT security framework.
Once the breach was detected, FinWise launched an investigation in collaboration with external cybersecurity experts. The bank has since pledged to strengthen internal controls to prevent similar incidents in the future. In an effort to mitigate the damage, FinWise is offering 12 months of complimentary credit monitoring and identity theft protection services to all affected customers.
The consequences of this incident extend beyond immediate financial risk. The company is already facing multiple class-action lawsuits, with plaintiffs alleging negligence in data protection and failure to adequately secure sensitive consumer records. Adding to the scrutiny, FinWise acknowledged in its June 30, 2025 SEC 10-Q filing that approximately 600,000 individuals were directly impacted, a figure closely aligning with AFF’s disclosure.
This breach comes amid a wave of insider-related security incidents plaguing the financial sector, where trusted employees with privileged access have exploited vulnerabilities for unauthorized data retrieval. Industry experts stress that insider threats often bypass traditional cybersecurity defenses, requiring enhanced monitoring, zero-trust security models, and tighter enforcement of least-privilege access principles.
Conclusion: The FinWise Bank insider breach serves as a stark reminder that financial institutions must not only prepare for sophisticated external cyberattacks but also proactively guard against insider risks. For customers, the exposure of personal data raises long-term concerns about fraud and identity theft. For the industry, it underscores the urgent need for stronger cybersecurity governance, access management, and regulatory oversight to ensure customer trust in digital financial services remains intact.
