A former employee of FinWise Bank has been accused of accessing sensitive customer data belonging to approximately 689,000 clients of American First Finance (AFF) after their employment ended, according to filings with the Maine Attorney General and other reports. The breach is said to have occurred on May 31, 2024, but remained undiscovered until June 18, 2025. Affected records reportedly include full names and other personal data elements, though the exact breadth of exposed personal identifiers has not been fully disclosed. FinWise contracts with AFF to provide installment loans and financial services, and those with open or applied-for installment loans, lease-to-own accounts, or retail installment accounts are likely impacted. In response, FinWise has engaged external cybersecurity experts, notified law enforcement, alerted affected individuals, and is offering 12 months of free credit monitoring and identity-theft protection.
Sources: BleepingComputer, SecurityWeek
Key Takeaways
– Delayed Discovery & Insider Access: The breach occurred in May 2024, but took over a year to detect; the person who accessed the data was a former employee whose access should have been revoked.
– Scope & Exposure: Around 689,000 individuals are affected; the compromised information includes full names and other personal data elements, with potential exposure of further sensitive identifiers.
– Remediation Measures: FinWise is offering one year of credit monitoring and identity theft protection to those affected, and has brought in outside security firms to assess risks and tighten controls. Multiple state regulators and possibly class-action litigators are involved.
In-Depth
In an unsettling turn of events for consumers and companies alike, FinWise Bank disclosed that a data breach involving a former employee exposed sensitive information for roughly 689,000 customers of American First Finance (AFF). The incident took place on May 31, 2024, but the breach went undetected until over a year later—on June 18, 2025. This kind of time lag isn’t unusual in complex data-security incidents, but it serves as a harsh reminder of how quickly personal data can be at risk and how much damage can occur while systems remain unchecked.
The breached data include full names and other important personal-data elements, though there’s no definitive public confirmation yet on exactly how extensive the exposure is (for instance, whether Social Security numbers, dates of birth, or bank account/routing numbers were involved). What’s clearer is who likely got hit: people who have taken out or applied for AFF installment loans, lease-to-own or retail installment accounts. Because FinWise serves as lender and funding party in its arrangement with AFF, it holds or handles a variety of data points that are integral to loan origination and servicing.
Once alerts sounded, FinWise didn’t stand still. The company engaged third-party cybersecurity experts to conduct damage assessment, boosted monitoring, notified law enforcement, and reached out to those affected with an offer of a free year of credit monitoring and identity-theft protection. These are the kinds of mitigation steps you’d expect in a breach of this scale—better late than never, but not without real risks for individuals whose records were accessed.
Regulatory, legal, and reputational fallout is already in motion. The disclosure came as part of filings with the Maine Attorney General, among others; class-action lawsuit activity is also reported. Whether this breach results in significant financial liability depends on how thoroughly FinWise can demonstrate that it had reasonable security controls in place, how soon it moves to correct gaps, and how many of those affected can show actual or likely harm. For individuals, the usual advice holds: monitor credit reports closely, consider fraud alerts or freezes, be alert to phishing or identity mis-use, and keep documentation of any suspicious activity.
This incident underscores the increasing insider risk component in data security: access revocation, continuous monitoring of user behavior, and clear policies around employee departures are more than HR or IT concerns—they’re lines of defense that need active management.