UK-based financial technology firm Finastra’s attempts to penetrate the UK mortgage market suffered a blow this month after it reported a significant data breach, with cybercriminals allegedly stealing sensitive data from its internal file transfer platform.

The breach has raised concerns as reports suggest the stolen data — amounting to approximately 400 gigabytes — was being offered for sale on the dark web.

Finastra, which provides services to around 8,000 financial institutions worldwide, discovered suspicious activity on 7 November.

The company’s Security Operations Center (SOC) detected irregularities related to its Secure File Transfer Platform (SFTP), a tool used to transmit files to certain customers. Following this, Finastra engaged a third-party cybersecurity firm and took action to isolate and contain the affected system.

In a communication to its clients on 8 November, Finastra assured stakeholders that the breach was limited to the compromised platform, with no evidence of malware deployment or tampering with files within the environment.

COMPROMISED CREDENTIALS

Finastra has since confirmed that the data breach involved unauthorised access through compromised credentials. The company is working to determine the specific customers affected and has pledged to directly inform them as findings become available.

In a statement to Mortgage Soup, Finastra outlined its response to the incident.

The company noted that the compromised SFTP platform is not the default system used by most customers and does not impact all products or services.

CUSTOMERS AND REGULATORS

The investigation, which is ongoing, is focused on analysing the affected data and ensuring transparency with customers and regulators.

“We first communicated this incident to customers on November 8th and remain in direct contact with them, as well as with our employees and regulators,” Finastra stated. “We are prioritising accuracy and transparency in our communications, sharing new information as it becomes available.”

It added: “There was no lateral movement beyond [the platform],” emphasising that customers’ operations and systems were not directly impacted.

LENDERS AFFECTED?

Finastra has been looking to widen its presence in the UK financial services sector over recent years and its services have been piloted and tested by various UK lenders.

In 2021, bridging lender Glenhawk announced it was to adopt Finastra’s Fusion Essence Cloud banking solution, to drive operational efficiency of the loan completion and loan management process, including monitoring the existing loan book.

When asked by Mortgage Soup whether they had been affected by the data breach, a spokesperson for Glenhawk simply stated that they couldn’t comment “at this stage”.

The Melton Building Society confirmed to Mortgage Soup that it is a customer of Finastra, adding: “We are aware of the incident involving Finastra and are in dialogue to understand the full circumstances of the breach. We’ve been assured the incident has been contained and reported in line with regulations.

“A full investigation is underway, but due to the nature of our contracted services with Finastra we do not believe the Society or our customers to be impacted.”

Meanwhile, Finastra would not disclose to Mortgage Soup if any, and if so how many, UK lenders were directly impacted by the breach.

“We have engaged leading partners to conduct a thorough review and to search the affected data set for any sensitive business and personal information”

“THOROUGH REVIEW”

When asked by Mortgage Soup if and when the Information Commissioner’s Office (ICO) was notified about the breach, Finastra stated: “We are working around the clock to conduct a robust data impact analysis, however it is a time-intensive process.

“We have engaged leading partners to conduct a thorough review and to search the affected data set for any sensitive business and personal information.

“Once Finastra determines what specific data was involved, we will reach out to any affected customers directly to share our findings and to help them comply with any potential notification obligations they may have as data controllers to the ICO or other regulators.”

The ICO was contacted for comment but had not responded by the time of publication.

ALTERNATIVE MEASURES

To prevent further disruptions, Finastra has implemented an alternative secure file transfer platform. The company is also examining its broader cybersecurity measures, particularly the processes around credential management.

Finastra reiterated its commitment to supporting customers through the aftermath of the breach. “We are working around the clock to conduct a thorough data impact analysis,” the company said.

“For any customers who are deemed to be affected, we will be reaching out and working with them directly.”