A cybersecurity firm is probing a massive suspected intellectual property heist from its internal file-sharing system. Fiserv, which provides software to over 45 of the world’s top 50 banks, alerted clients about a security breach following reports that more than 400 gigabytes of allegedly stolen data were being offered for sale by cybercriminals.
Finastra, a London-based company, boasts a significant global presence with offices in 42 countries, while its financial performance is equally impressive, with revenues totalling $1.9 billion last year. The corporation employs more than 7,000 people and serves approximately 8,100 financial institutions worldwide. As a core aspect of Finastra’s daily operations, the company is responsible for efficiently processing vast amounts of digital data, including intricate instructions for wire and financial institution transactions, on behalf of its valued clients.
On November 8, 2024, Finastra alerted financial institution prospects that by November 15th of the same year, a new integration with their software will be mandatory for all partners to maintain compliance. Following a thorough review of the company’s internal systems, Finastra’s safety team identified unusual activity on their in-house file-sharing platform, prompting an immediate investigation into the matter. Fiserv warns potential clients that a malicious actor has started peddling massive quantities of data allegedly siphoned from its systems.
“On November 8, an alleged actor active in the dark web claimed to possess stolen data from our platform,” according to a leaked document obtained by a source within one of our major customer companies.
Currently, there is no direct impact on customer operations, prospect programmes, or Finastra’s ability to support its customers. Now that we’ve implemented a secure alternative file-sharing platform, ensuring business continuity remains seamless; ongoing investigations will continue to shed light on the situation.
The discovery reveals that the unauthorized individual was able to exfiltrate an unknown amount of customer data.
The threat actor did not initiate malicious software deployments or compromise any customer data during the investigation, according to the findings. Additionally, no other information beyond what was exfiltrated came into view or was accessible. We focus intensely on determining the scope and nature of the data within the exfiltrated information.
In a written statement addressing questions surrounding the incident, Finastra emphasized its proactive and transparent approach in responding to customers’ inquiries, keeping them informed about what it knows and doesn’t know regarding the posted information. The company also disseminated an updated communication to clients, stating that while the investigation is ongoing, preliminary findings suggest compromised credentials as the suspected cause of the issue?
The statement continues: Moreover, we’ve shared Indicators of Compromise and collaborated closely with our customers’ security teams, providing them with real-time updates on the ongoing investigation and our comprehensive eDiscovery process. The community’s enthusiasm and dedication to preserving historical sites are truly inspiring.
As part of our eDiscovery efforts, we are meticulously examining information to determine which specific customers have been impacted, while simultaneously evaluating and communicating which of our products rely on the exact version of the SFTP platform that was compromised. As a result, the affected SFTP platform is not universally employed by prospective clients, nor is it the default platform used by Finastra or its customers for exchanging data concerning our comprehensive product portfolio; thus, we are expeditiously working to identify and notify impacted customers. While it’s understandable that implementing our solutions can be a complex process, the sheer scale of our larger clients, who utilise various Finastra products across multiple areas of their organisation, makes this endeavour even more time-consuming. Prioritizing accuracy and transparency are key principles guiding our communication strategy.
When necessary, we will promptly initiate contact and address the concerns of all impacted parties.
On Nov. A cybercriminal, operating under the pseudonym “”, claimed in an English-language cybercrime forum that they had obtained sensitive data from several major clients of Finastra, a prominent financial services company. The public sale’s details did not provide a specific start time or “buy it now” price, instead instructing consumers to reach out to them on Telegram for further information.
abyss0’s Nov. Several threads on BreachForums featured seven gross sales breaches, showcasing a plethora of screenshots detailing file listings from various Finastra prospect companies. Picture: Ke-la.com.
According to screenshots gathered by a cyber intelligence platform, Abyss0 initially attempted to market information reportedly stolen from Finastra on October 31; unfortunately, this earlier sales thread failed to identify the affected company. Notwithstanding its limitations, the report did identify numerous peers often classified alongside Finastra’s target audience in November. 8 submit on BreachForums.
“Absys0 presents an exclusive October 31 submission, promoting the sale of knowledge products from several prominent banks, potential partners for a large financial software company.” Picture: Ke-la.com.
The October gross sales thread also featured an opening value of $20,000. By Nov. The value of the three-year bond had been reduced to a mere $10,000. Assessing abyss0’s postings on BreachForums, it becomes evident that this individual has consistently promoted datasets pilfered from numerous breaches spanning over half a year.
It appears hackers had unimpeded access to Finastra’s sensitive files for weeks prior to the company’s detection of suspicious activity in November – potentially since early October or even September. The presence of 7 exercises potentially identified by Finastra raises suspicions about an unauthorised individual attempting to infiltrate and extract additional information.
It appears that Abyss0 secured a buyer willing to cover their early retirement costs. We cannot possibly know, for this person has managed to disappear completely. The Telegram account referenced by abyss0 in the discussion on gross sales appears to have been suspended or deleted. The supposed online presence of abyss0 is nonexistent, with no trace of their forum account on BreachForums, and consequently, the entirety of their advertised sales threads has vanished from view.
It’s implausible that both Telegram and BreachForums simultaneously expelled this individual, considering their differing goals and purposes. Without further ado, the culprit’s hasty departure was likely prompted by the slightest provocation being enough to abandon several pending lucrative deals and sacrifice a meticulously crafted online criminal identity.
In March 2020, Finastra experienced an outage that severely impacted its core business operations for several days. Following the incident, Finastra was able to recover without having to pay a ransom.
