A severe data breach at FinWise Bank exposed sensitive personal information of approximately 689,000 customers, highlighting that encryption is the ultimate safeguard when other controls fail. The incident also draws attention to how insider threats and delayed detection can render protective measures moot.
Insiders Bypass Perimeter Defenses in Breach of Financial Institution
On May 31, 2024, a former employee of FinWise Bank gained unauthorized access to customer records tied to its partner American First Finance. The exposure was not discovered until June 18, 2025—more than a full year later. The data involved includes full names, dates of birth, Social Security numbers and account information. Victims now claim the data was stored unencrypted.
“If FinWise properly implemented and managed its data encryption systems, the exposure of customers’ personal information could have been prevented even after the breach.”
— Security expert review
The delay in detecting the breach and initiating disclosure triggered at least six class-action lawsuits seeking more than $5 million in relief. Plaintiffs allege negligence and demand stronger encryption and lifetime identity-monitoring protections.
Encryption Failures Allow Long-Term Exposure of Customer Data
Financial-industry legal filings allege FinWise failed to encrypt data effectively at rest or in transit. Experts argue that even when encrypted, without strong key-management and access-control frameworks, the protection can collapse—especially in an insider threat scenario.
In this case, a former employee retained valid credentials and accessed the systems from inside the network perimeter. Conventional controls such as MFA or network segmentation proved insufficient in halting him. Encryption should have acted as a secondary barrier—but apparently did not.
The breach illustrates two key failures: delayed detection (over a year), and inadequate data protection such that an insider could remove or copy personal information with no immediate alert. In environments where trusted insiders operate, data encryption is often the last effective barrier.
Why Encryption Alone isn’t Enough—And Where Organisations Often Go Wrong
Encryption serves as the final defence layer—but only if implemented and managed properly. Common pitfalls exposed by the FinWise breach include:
- Weak key-management allowing misuse of encrypted data.
- Lack of granular encryption at column or file level, letting attackers access sensitive fields.
- Insufficient monitoring of admin or insider access to encrypted zones.
- Poor segregation of duties: database admins and security admins may share key access, undermining separation of privileges.
Although FinWise has not disclosed exact details of its encryption deployment, analysts believe the incident shows that simply “encrypting data” without holistic governance is ineffective.
Immediate Recommendations for Financial Institutions Facing Insider Risk
In light of lessons from FinWise, compliance and security teams should prioritise:
- Full audit and verification of data encryption regimes—ensure all sensitive fields (SSNs, account numbers, PII) are encrypted at rest and in transit.
- Independent key-management systems where database admin privileges do not automatically confer key access.
- Insider-threat detection programs: monitor large data exports, anomalous credential reuse and ex-employee access attempts.
- Rapid breach-detection mechanisms: set up data-loss-prevention (DLP) and file-integrity alerting to reduce dwell time.
- Clear incident response and regulatory disclosure plans—delay in acknowledging breach aggravates reputational and legal damage.
Strategic Implications: Protecting Against the Human Element
The FinWise incident signals a broader shift: as external attacks become better defended, insider threats—malicious or negligent—are emerging as leading breach vectors. The value of encryption is highest in these scenarios, because insider credentials bypass perimeter defences and MFA. Organisations must adopt a mindset where encryption, key-management, and access governance are foundational—not optional.
Data protection is no longer just about preventing external intrusion but about limiting the damage when trust-bound actors do go rogue. FinWise’s delayed detection, alleged encryption shortcomings and large volume of exposed records highlight why finance institutions must treat encryption as the last line of defence—and ensure it is operational, effective and resilient.
