Roughly 689,000 customers’ personal data may have been exposed in a cybersecurity breach that Murray, Utah-based FinWise Bank said it discovered more than a year after the fact.
A former employee accessed the information, including names, dates of birth, Social Security numbers and account numbers, on May 31, 2024 – but the bank didn’t discover the breach until June 18, 2025, according to a disclosure the Maine attorney general’s office published Sept. 12.
FinWise notified customers July 29 and, within days, the bank and its fintech partner, American First Finance, were sued by multiple plaintiffs. Six class-action lawsuits have been consolidated in federal court in Utah.
At least one plaintiff argued the bank stored the data unencrypted and “negligently and unlawfully failed to safeguard” it, according to one of the lawsuits.
FinWise did not immediately respond to a request for comment.
However, the bank, in its letter to affected customers, said once the breach was discovered, it “immediately launched an investigation in consultation with outside cybersecurity professionals who regularly investigate and analyze these types of situations to help determine whether any sensitive data had been accessed.”
FinWise also is offering affected users 12 months of free credit monitoring and identity theft protection services.
Some plaintiffs, however, are calling for lifetime credit monitoring and identity theft protection, arguing a year of services is not sufficient to combat the threat of Social Security number exposure.
The consolidated lawsuit seeks more than $5 million in relief but does not specify how much of that is for damages.
Plaintiffs have accused FinWise and American First Finance of negligence, breach of contract and unjust enrichment and are seeking a court order requiring the bank “to protect, including through encryption, all data collected through the course of business.”
FinWise warned investors in an August quarterly filing that “similar lawsuits may be forthcoming.”
The bank said it would “defend any such lawsuits vigorously,” adding it could not estimate related losses or damages but predicted they “will not be material.”
“Some” of the affected data is connected to American First Finance, FinWise said in its letter to affected customers. The fintech partners with FinWise to offer installment loans. Under the partnership, FinWise is the lender and American First provides tech.
Among points of contention in the lawsuit, presumably, is a gray area that Utah law provides. The state requires companies that experience a data breach affecting at least 500 residents report the incident “in the most expedient time possible without unreasonable delay.” The law, however, does not give guidance as to a specific number of days.
FinWise is not the first lender to have a yearlong lag between breach and discovery. Lake Jackson, Texas-based TDECU disclosed in August 2024 that it was one of several dozen financial institutions affected by a MoveIt cybersecurity incident, though it said it didn’t learn so until more than a year afterward.
Nor is FinWise the first bank to have its data exposed by a former employee or partner firm. Perhaps the most infamous breach of a bank in the past decade – the July 2019 hack of Capital One – came at the hands of a former Amazon Web Services employee, a court found. The breach exposed the personal data of 106 million people.
Capital One paid an $80 million penalty to the Office of the Comptroller of the Currency and another $190 million to settle a class-action lawsuit. The Federal Reserve terminated a breach-related enforcement action against the bank in 2023, about 10 months after the OCC ended a separate order.
FinWise is not alone among financial institutions bringing cybersecurity incidents to light this year. North Haven, Connecticut-based Connex Credit Union disclosed a data breach last month involving roughly 172,000 people’s personal information.
Phoenix, Arizona-based Western Alliance disclosed a cyber incident in March that potentially exposed 22,000 customers’ information. That intrusion, through a vulnerability in a third-party vendor’s file transfer software, went undetected for more than three months, according to the bank’s disclosure to the Maine attorney general’s office.
In its letter to affected customers, FinWise said “maintaining our clients’ trust and protecting our clients’ personal information are among our highest priorities.”
