Exclusive: Aussie mortgage broker Finsure confirms ‘cyber incident’ impacting customers and brokers

Exclusive: Australian mortgage broker Finsure confirms ‘cyber incident’ has impacted customers and brokers

Finsure confirmed the incident after “nearly 300,000 allegedly unique emails” from Finsure were added to data leak website Have I Been Pwned.

Australian mortgage brokerage group Finsure has confirmed that marketing data for a number of its brokers and clients has been affected by a recent “cyber incident”.

The confirmation comes after nearly 300,000 alleged email addresses linked to Finsure were added to security researcher Troy Hunt’s database of compromised credentials, Have I Been Pwned.

Cyber ​​Daily first learned of the incident through a real estate industry source. However, at the time, the alleged victim was called ActivePipe, an Australian real estate marketing platform.

However, just days before, Finsure was added to the Have I Been Pwned section of the Have I Been Pwned site alongside the alleged third-party source of the leak – ActivePipe.

“As of October 2024, almost 300,000 unique email addresses from Australian mortgage brokerage group Finsure were obtained from property marketing platform ActivePipe,” a November 19 update on Have I Been Pwned states.

“The affected data also included names, telephone numbers and physical addresses. The incident did not directly affect any of Finsure’s systems or expose any passwords or financial data.

The exact number of what Have I Been Pwned calls “compromised accounts” is 296,124.

According to the update, the incident occurred on October 15 and Finsure confirmed that some of its customer data was impacted.

“We recently sent a precautionary notification to a small number of brokers and clients regarding a cyber incident that recently affected our business,” a Finsure spokesperson told Cyber ​​Daily.

“We have been made aware of an incident where a cybersecurity researcher accessed marketing data on a third-party service provider’s platform via compromised credentials.

Finsure said it has since worked with the third-party provider – presumably ActivePipe – and that the issue has been resolved.

“We worked with the third-party vendor and cybersecurity experts to review data from the affected system. This investigation determined that the majority of data is limited to basic coordinates, which are already in the public domain. There is no evidence of misuse or publication of personal information about any individual,” he said.

As noted in the Have I Been Pwned update, Finsure confirmed that no credit card details, personal IDs, passwords or financial information were affected.

“We remain committed to protecting the personal information of all individuals and sincerely apologize for any concern this incident may have caused,” Finsure said.

While Finsure said the exposed data was publicly available – and therefore not considered a notifiable data breach – Have I Been Pwned’s description of the leaked emails as “unique” suggests that most, if not all of them, were not listed on the site before this leak.

ActivePipe has also responded to the claims made on Have I Been Pwned and denies that so many emails were affected by the incident.

“On November 6, ActivePipe was informed by an aggregator partner that a cybersecurity researcher was able to access basic contact data on a third-party service provider’s platform due to compromised credentials ” ActivePipe said in a statement.

“We immediately launched a thorough investigation into the issue, with the API credentials immediately reset and the aggregator partner contacting the affected parties.

“At no time was the ActivePipe platform breached, and no data from other customers or integrations was involved in this issue. PipeActive [does] We do not store or retain these credentials once provided to the third party, and we verify the credentials through an industry standard one-way encryption mechanism.

Although the data affected includes names, email addresses, phone numbers, and addresses, according to ActivePipe, the number of people affected is much lower than currently listed on Have I Been Pwned.

“We were informed that only 35 contacts had data in the system that required preventive communication from our aggregator partner. No passwords or financial data have been exposed or are at risk of being exposed,” ActivePipe said.

“Regarding the announcement made by Troy Hunt, we are exploring our legal options as we consider his communication to be misleading and damaging to the reputation of our company.”

Cyber ​​Daily has contacted Troy Hunt for comment.


UPDATED 11/27/24 to include ActivePipe comments.

The big tech clean energy crisis is here

The big tech clean energy crisis is here

We stood on both sides of the New York-Dublin portal and it was glorious

We stood on both sides of the New York-Dublin portal and it was glorious

Leave a Reply

Your email address will not be published. Required fields are marked *