Security teams spend enormous time preparing for attackers who exploit zero-days, break through firewalls, or launch sophisticated phishing campaigns. Yet the breach at FinWise Bank demonstrates a different and more unsettling truth. Not every incident requires a hacker. Sometimes the most damaging breaches begin with something far more ordinary.
In May 2024, a former FinWise employee accessed internal systems using retained credentials and retrieved sensitive personal information tied to American First Finance customers. The access continued for months without detection. By the time FinWise discovered the issue in June 2025, 689,000 individuals were affected.
This incident is a reminder that the threat landscape has evolved. While advanced exploits still matter, organizations increasingly face risks that arise from everyday identity oversights. Understanding these gaps and managing them with discipline has become one of the most important parts of modern cloud and SaaS security.
Most breaches begin with some form of intrusion. Someone breaks in through a misconfigured S3 bucket, a leaked key on GitHub, or a compromised VPN account. The FinWise case is different. Here, the entry point was not a compromise but a leftover identity in an active system. That identity still carried access to sensitive financial data, even after employment ended.
The two most concerning elements are the simplicity of the breach and the duration of exposure. The former employee did not need to bypass security controls or exploit a vulnerability. They simply used access that should have been revoked. More importantly, this activity continued for an estimated thirteen months before anyone noticed.
There were no alerts, no automated checks, and no identity monitoring controls to surface unusual access patterns.
These details highlight a wider problem. Many organizations assume that once an employee leaves, their access is cleanly removed. In reality, cloud and SaaS ecosystems are sprawling, and identities often multiply across dozens or hundreds of systems. Without visibility into how identities behave over time, and without automated checks to validate that offboarding worked, it becomes easy for dormant accounts to slip through.
The FinWise incident reflects three key identity weaknesses that appear in many companies.
These gaps are not unique to FinWise. They appear across industries and platforms. The difference is simply that in this case, the oversight became public.
Insider incidents once felt rare. Today, they are becoming more common for several reasons.
Modern organizations rely heavily on contractors, partners, and distributed teams. Each one receives access to applications and data. As the number of identities increases, tracking them becomes more difficult. Cloud and SaaS systems also introduce new types of long-lived tokens, API keys, service accounts, and non-human identities. Many remain active long after their intended use.
Not every insider incident is malicious. Sometimes access is misused unintentionally. Sometimes it is used by someone who believes they still have valid rights. And sometimes, as regulators and lawsuits allege in the FinWise case, the impact is amplified because data was not encrypted or protected at rest.
The lesson is simple. Insider threats are often symptoms of identity mismanagement. Without strong identity controls, even basic actions can create major incidents.
Lawsuits tied to the FinWise breach argue that the exposed data may not have been encrypted. Encryption is a powerful safeguard, and it is often the last barrier protecting sensitive data. But encryption alone is not enough. Its strength depends on the assumption that only authorized identities can access the data in the first place.
If a former employee retains valid access to a store of unencrypted data, the failure does not begin with encryption. It begins with identity governance. When both fail, attackers or insiders can move freely.
Modern security requires treating identity as the new perimeter. Encryption, logging, and network controls remain essential, but identity determines who reaches the data and when.
While no solution can prevent every insider threat, a modern identity-centric approach can significantly reduce the risk of incidents like FinWise. Continuous visibility across cloud and SaaS environments helps organizations identify the exact issues that contributed to this breach, such as:
By placing identity at the center of security posture, organizations can detect risks earlier and close gaps before they turn into prolonged breaches.
The FinWise breach shows that modern incidents do not always require advanced attackers. Ordinary identity gaps can create extraordinary consequences. The strongest defense is a consistent, proactive, identity-first security strategy that ensures organizations know who has access, why they have it, and whether they still need it.
FinWise will not be the last insider-driven breach. But it can be the one that reminds enterprises that identity is no longer a supporting control. It is the control that determines whether security works at all.
Derek Hammack is a multi-disciplinary cybersecurity professional at CheckRed with a background spanning engineering, communications, analytics, and strategic leadership. With experience across government and private sectors—including work in cloud architecture, SaaS security, and cross-functional program management—he brings a systems-thinking approach to solving complex challenges. Derek is passionate about helping organizations stay ahead of evolving threats through proactive posture management and modern security solutions.
Share this content on your favorite social network today!
Monthly updates on all things CSA - research highlights, training, upcoming events, webinars, and recommended reading.
Monthly insights on new Zero Trust research, training, events, and happenings from CSA's Zero Trust Advancement Center.
Quarterly updates on key programs (STAR, CCM, and CAR), for users interested in trust and assurance.
Quarterly insights on new research releases, open peer reviews, and industry surveys.
Subscribe to our newsletter for the latest expert trends and updates
We value your privacy. Our website uses analytics and advertising cookies to improve your browsing experience. Read our full Privacy Policy.
Analytics cookies, from Google Analytics and Microsoft Clarity help us analyze site usage to continuously improve our website.
Advertising cookies, enable Google to collect information to display content and ads tailored to your interests.
© 2009–2026 Cloud Security Alliance.
All rights reserved.