Pierluigi Paganini September 16, 2025

An ex-employee caused an insider breach at FinWise Bank, exposing data of 689,000 American First Finance customers.

FinWise Bank is a Utah-based community bank, FDIC-insured, that partners with fintechs and lenders to offer consumer loans, small business financing, and deposit services.

FinWise Bank notified the Maine AG that a data breach tied to the U.S.-based financial services company American First Finance (AFF) occurred on May 31, 2024, exposing the data of 689,000 people.

FinWise funds consumer loans while AFF manages applications, originations, and servicing.

The investigation conducted with the support of external cybersecurity professionals revealed that a former employee maintained access to AFF data after leaving, including personal details. The bank did not share technical information about the security breach. It’s not clear whether the former FinWise employee accessed data beyond AFF records, or whether their actions were intentional or simply negligent.

The breach may have impacted FinWise loans, AFF lease-to-own accounts, or retail installment sales agreements linked to affected individuals.

“On May 31, 2024, FinWise experienced a data security incident involving a former employee who accessed FinWise data after the end of their employment. Some of the data impacted includes American First Finance’s (“AFF’s”) data.” reads the data breach notification published by the Maine General Attorney. “FinWise contracts with AFF to offer installment loans to consumers. In this arrangement, FinWise is the lender and AFF is the technology provider.”

The company is offering 12 months of free credit monitoring and identity theft protection services to the impacted individuals.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, FinWise Bank)