FinWise took a year to disclose a breach affecting 689,000

• Key insight: FinWise Bank disclosed a data breach impacting nearly 700,000 people more than a year after discovering it.
• What's at stake: FinWise faces potential damages of more than $5 million, plus reputational harm from delayed disclosure.
• Forward look: Plaintiffs are seeking court orders requiring stronger encryption and lifetime credit monitoring for victims.

Overview bullets generated by AI with editorial review

FinWise Bank, a Utah-chartered financial institution that specializes in embedded banking, publicly disclosed a data breach this month affecting nearly 700,000 people.

The disclosure came more than a year after the bank discovered the incident, and FinWise and its fintech partner American First Finance now face six class action lawsuits seeking $5 million in relief.

The incident, which FinWise attributed in regulatory filings to "insider wrongdoing," highlights risks to banks related to employee access controls and regulatory disclosure timelines.

FinWise Bank said in a disclosure to the Maine Attorney General that it discovered the unauthorized access on May 31, 2024 affecting 689,000 people. The bank did not begin notifying victims until late July 2025.

The Maine Attorney General subsequently published the notification on September 12.

Utah state law requires that a company that suffers a data breach affecting at least 500 state residents report the incident to the Utah attorney general "in the most expedient time possible without unreasonable delay," but the law does not specify a number of days. It is unclear whether and when FinWise reported the incident to the state.

Victims argued in six class action lawsuits filed against FinWise that this delay left them unaware of the risk they faced and vulnerable to identity theft.

The lawsuits have been consolidated in the U.S. District Court for Utah.

The Securities and Exchange Commission (SEC) also has a breach notification rule that requires publicly traded companies to report data breaches and other cybersecurity incidents within four days of determining that the incident was "material," according to the rule.

Although the forensic investigation into the incident took a while, "as soon as forensics gave FinWise the details of their findings" following analysis, FinWise deemed it met the definition of a material incident according to SEC regulations and disclosed the information in a quarterly earnings report, according to a spokesperson for FinWise Bank.

FinWise identified the breach shortly after it happened, but until it completed a forensic investigation, the bank "could not determine all of the specifics," according to the spokesperson.

"A lot of the window of time" between discovering the incident and deeming it to be material was "time that it took to do a forensic IT investigation and coordination with the FinWise insurance carrier," the FinWise spokesperson told American Banker.

"Identifying and finalizing a list of 600k+ impacted takes a while and it's something that has to be done very carefully," the spokesperson said.

According to FinWise's disclosure in Maine, the compromised data (known as personally identifiable information, or PII) included full names, dates of birth, Social Security numbers and account numbers.

The victims suing FinWise said the bank stored this data unencrypted and claim it "negligently and unlawfully failed to safeguard" the information, according to one of the lawsuits.

The combination of name, date of birth, and SSN is particularly valuable to criminals on the dark web.

Data affected fintech partner

The security incident impacts both FinWise Bank and its fintech partner, American First Finance.

FinWise is a national bank focused on embedded banking services, where it helps nonbank businesses, especially fintechs, offer financial products to consumers.

Specifically, FinWise contracts with American First to offer installment loans to consumers. In this arrangement, FinWise is the lender, and American First is the technology provider.

American First provides the application platform, facilitates loan origination for FinWise and services the loan on FinWise's behalf. Importantly, the impacted data included American First's customer data.

While not explicitly stated in regulatory filings or the lawsuits, the former FinWise employee appears to have accessed data exclusively related to the bank's partnership with American First, not data from general FinWise banking operations or data related to other fintech partners.

The class action plaintiffs each sued over information that related to their interaction with American First as part of the lending arrangement facilitated by FinWise.

Lawsuits seek more than $5 million in damages

The six class action lawsuits have consolidated in the District of Utah. The plaintiffs' claims against FinWise and American First include negligence, breach of contract and unjust enrichment. The consolidated lawsuit claims more than $5 million is in controversy but does not specify a specific amount in damages sought.

To put that amount in perspective, FinWise had $14.7 million in net interest income in the second quarter of 2025, according to its Form 10-Q filed on August 11 with the SEC.

FinWise said in the 10-Q that it "intends to defend any such lawsuits vigorously, but there is no guarantee that the Company will prevail." FinWise also said in the filing it believes any possible losses or damages "will not be material."

The victims pressed the court for various forms of relief, including court orders requiring FinWise "to protect, including through encryption, all data collected through the course of business in accordance with all applicable regulations, industry standards and federal, state or local laws."

The consumers also called for lifetime credit monitoring and identity theft protection, arguing the offered 12 months is inadequate given the lifelong risk of identity theft resulting from stolen Social Security numbers.