Hello! Have you heard of the FinWise Bank data breach? This is a great story and a timely lesson for anyone interested in ensuring data security. I was recently reading about it, and I think it demonstrates why encryption is your last line of defense when all else fails.
Even worse, according to the reporting, it took FinWise Bank more than a year to discover what had happened, only reporting it in June of 2025. During that time, a substantial amount of highly sensitive data had been breached.
According to reporting, a lack of adequate encryption on customer data storage contributed to it being accessed. The data was stored in a relatively unprotected format, either plain text, or easily deciphered, which allowed the former employee to copy the information and view it.
Think of it this way:
• If the lock on your personal diary is closed, no one can read the content. If it is left open, anyone can flip through the pages.
• That is what happened here — the data was not locked (encrypted).
• And because the system did not pick up the suspicious access, it was undetected for months.
So, no encryption + insider access = really bad news.
Even if someone breaks in, if your files are encrypted, and your keys are locked up, the intruder cannot read a thing. This is what people mean when they call encryption, the last line of defense.
According to news reports, FinWise either did not adequately manage encryption keys or did not encrypt certain customer data even when it should have. This is a big misstep. I have witnessed this same scenario previously - companies skip encryption because it feels tricky and too costly. However, they always figure out that the wrong decision is skipping encryption once the breach occurs.
• Encrypt everything: Encrypt data at rest and data in transit.
• Protect the keys: Protect the encryption keys and only allow a very small number of trusted individuals to access the keys.
• Pay attention to odd behavior: If an ex-employee is still logging in — be very concerned!
• Update offboarding procedures: Ensure that when employees leave the organization, they lose access to sensitive data on their last day of employment.
What Happened?
In May of 2024, a former employee of FinWise Bank reaccessed the FinWise system after having left the bank. The former employee stole the information of about 689,000 customers who secured payment services from Affiliated Partner, American First Finance (AFF).Even worse, according to the reporting, it took FinWise Bank more than a year to discover what had happened, only reporting it in June of 2025. During that time, a substantial amount of highly sensitive data had been breached.
According to reporting, a lack of adequate encryption on customer data storage contributed to it being accessed. The data was stored in a relatively unprotected format, either plain text, or easily deciphered, which allowed the former employee to copy the information and view it.
Why Is This Such a Big Problem?
Many people assume hackers are always outsiders attempting to gain access. However, this time was an insider threat — someone with existing access. That will be a lot harder to detect.Think of it this way:
• If the lock on your personal diary is closed, no one can read the content. If it is left open, anyone can flip through the pages.
• That is what happened here — the data was not locked (encrypted).
• And because the system did not pick up the suspicious access, it was undetected for months.
So, no encryption + insider access = really bad news.
Why Encryption Matters Most
The real lesson here is that encryption protects your data when nothing else works.Even if someone breaks in, if your files are encrypted, and your keys are locked up, the intruder cannot read a thing. This is what people mean when they call encryption, the last line of defense.
According to news reports, FinWise either did not adequately manage encryption keys or did not encrypt certain customer data even when it should have. This is a big misstep. I have witnessed this same scenario previously - companies skip encryption because it feels tricky and too costly. However, they always figure out that the wrong decision is skipping encryption once the breach occurs.
What Do We Take Away From This?
To keep it simple, here is what everyone should do:• Encrypt everything: Encrypt data at rest and data in transit.
• Protect the keys: Protect the encryption keys and only allow a very small number of trusted individuals to access the keys.
• Pay attention to odd behavior: If an ex-employee is still logging in — be very concerned!
• Update offboarding procedures: Ensure that when employees leave the organization, they lose access to sensitive data on their last day of employment.