iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Finsure has confirmed the incident after “almost 300,000 unique” alleged Finsure emails were added to the data leak website Have I Been Pwned.
Australian mortgage broking group Finsure has confirmed that the marketing data of a number of its brokers and customers was impacted by a recent “cyber incident”.
The confirmation comes after nearly 300,000 alleged email addresses linked to Finsure were added to security researcher Troy Hunt’s database of compromised credentials, Have I Been Pwned.
Cyber Daily first learnt of the incident via a source in the real estate industry. However, at the time, the alleged victim was named as ActivePipe, an Australian real estate marketing platform.
However, a couple of days before, Finsure had been added to the “Who’s been pwned” section of the Have I Been Pwned site alongside the alleged third-party source of the leak – ActivePipe.
“In October 2024, almost 300k unique email addresses from Australian mortgage broking group Finsure were obtained from the ActivePipe real estate marketing platform,” said a 19 November update on Have I Been Pwned.
“The impacted data also included names, phone numbers, and physical addresses. The incident did not directly affect any of Finsure’s systems or expose any passwords or financial data.”
The exact number of what Have I Been Pwned refers to as “compromised accounts” is 296,124.
According to the update, the incident occurred on 15 October, and Finsure has confirmed that some of its customer data has been impacted.
“We have recently provided a precautionary notification to a small number of brokers and customers about a cyber incident which recently affected our business,” a Finsure spokesperson told Cyber Daily.
“We were made aware of an incident where a cyber security researcher accessed marketing data on a third-party service provider’s platform via compromised credentials.
Finsure said it has since worked with the third-party provider – presumably ActivePipe – and the issue has been resolved.
“We have worked with the third-party provider and cyber security experts to review the data on the impacted system. This investigation determined that the majority of data is limited to basic contact information, which is already in the public domain. There is no evidence of misuse or publication of any individual’s personal information,” it said
As was said in the Have I Been Pwned update, Finsure confirmed that no credit card details, personal IDs, passwords, or financial information were impacted.
“We remain committed to protecting the personal information of all individuals, and we sincerely apologise for any concern that this incident may have caused,” Finsure said.
While Finsure has said that the exposed data was publicly available – and is therefore not considered a notifiable data breach – the description of the leaked emails as “unique” by Have I Been Pwned suggests that most, if not all, have not been listed on the site prior to this leak.
ActivePipe has also responded to the claims made on Have I Been Pwned and denies such a large number of emails were impacted by the incident.
“On November 6th, ActivePipe was informed by an aggregator partner that a cyber security researcher was able to access basic contact data on a third-party service provider’s platform due to compromised credentials,” ActivePipe said in a statement.
“We immediately commenced a comprehensive investigation of the issue with the API credentials immediately reset, and the aggregator partner contacting the impacted parties.
“At no point was the ActivePipe platform breached, and no data for any other customers or integration was part of this issue. ActivePipe [does] not store or keep these credentials once given to the third party, and we verify the credentials through an industry standard, one-way encryption mechanism.”
While the impacted data did include names, emails, phone numbers, and addresses, according to ActivePipe, the number of individuals impacted is far lower than that currently listed on Have I Been Pwned.
“We have been advised that only 35 contacts had data within the system that required a precautionary communication from our aggregator partner. No passwords or financial data were exposed or are at risk of exposure,” ActivePipe said.
“In relation to the announcement made by Troy Hunt, we are investigating our legal options as we consider his communication misleading and damaging to our company’s reputation.”
Cyber Daily has reached out to Troy Hunt for comment.
UPDATED 27/11/24 to include ActivePipe commentary.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
