Finastra Data Breach 2024: 400GB of SWIFT and Financial Messaging Data on the Dark Web

What Was Compromised: SWIFT Data and Financial Messaging Records

Finastra's product portfolio includes some of the most sensitive infrastructure in global finance:

• SWIFT messaging platforms: Finastra provides SWIFT connectivity and messaging solutions used by financial institutions for interbank transactions
• Managed File Transfer (MFT) platforms: The confirmed point of compromise — MFT systems used to transfer files between financial institutions and their clients and counterparties
• Core banking data: Finastra's core banking products serve hundreds of banks globally — though the full scope of the breach was not publicly confirmed
• The 400GB of data offered for sale included samples that security researchers confirmed contained SWIFT transaction data and financial messaging records
• The threat actor claimed to have exploited credentials to access the MFT platform — suggesting the initial access vector was credential theft or phishing, not a zero-day vulnerability

The Attack Vector: Compromised Credentials and MFT Exploitation

Managed File Transfer platforms have become a favoured target for threat actors, as demonstrated by the Cl0p/MOVEit attacks in 2023 and the GoAnywhere MFT exploitation that preceded them. The Finastra breach followed a similar pattern: MFT platforms process sensitive data in transit, are often accessible externally, and when compromised provide access to files from multiple clients simultaneously. The credential-based access reported by Finastra is consistent with a pattern of credential theft via phishing or credential stuffing, followed by persistent access and bulk data exfiltration over an extended period before detection.

Implications for Financial Institutions Using Third-Party Fintech Providers

The Finastra breach demonstrates the supply chain risk inherent in financial services' reliance on shared technology providers:

• SWIFT data exposure: For institutions whose SWIFT transactions were processed through Finastra, the potential compromise of transaction records creates both regulatory notification obligations and operational risk
• Counterparty risk: Financial institutions that share data through Finastra's MFT systems face potential exposure of counterparty information and transaction details
• Third-party breach notification: Finastra's obligation to notify affected clients — and those clients' obligations to notify their regulators and customers — creates a cascade of regulatory reporting requirements
• ICO and FCA notification: UK financial institutions that received notification of the Finastra breach may have had GDPR and FCA notification obligations of their own depending on the nature of data affected
• Contractual gaps: Many institutions had no contractual provision requiring Finastra to notify them within a defined timeframe — highlighting the DORA contractual requirement gap

What Financial Firms Should Do Following a Third-Party Breach Notification

When a critical technology provider like Finastra notifies you of a breach, the response sequence matters:

• Immediate: Determine scope — what data did Finastra hold or process on your behalf? What systems and transactions are potentially affected?
• Within 24 hours: Assess whether personal data of your clients or staff was involved — this triggers the GDPR 72-hour notification clock to the ICO
• Within 72 hours: Assess whether this constitutes a material operational incident requiring FCA notification under PS21/3
• Parallel: Engage your incident response team and legal counsel; document every step of the assessment
• Ongoing: Review and strengthen your contracts with critical third-party providers to require defined breach notification timelines, scope of notifications, and remediation commitments
• Post-incident: Assess whether your third-party risk management programme would have identified this risk and what changes are required

Frequently Asked Questions