Login
ISCOVER
The aggregator has confirmed the incident after “almost 300,000 unique” Finsure emails were added to the data leak website HaveIBeenPwned.
Aggregation Finsure has confirmed that the marketing data of a number of its brokers and customers has been impacted by a recent “cyber incident”.
To continue reading the rest of this article, please log in.
Looking for more benefits? Become a Premium Member.
Create free account to get unlimited news articles and more!
Looking for more benefits? Become a Premium Member.
The confirmation comes after the emails of nearly 300,000 alleged email addresses linked to Finsure were added to security researcher Troy Hunt’s database of compromised credentials, HaveIBeenPwned.
According to Cyber Daily, a sister brand of The Adviser, sources first alleged the victim was ActivePipe, an Australian real estate and broker marketing platform.
However, a couple of days before, Finsure had been added to the ‘Who’s been pwned’ section of the HaveIBeenPwned site, alongside the alleged third-party source of the leak – ActivePipe.
“In October 2024, almost 300k unique email addresses from Australian mortgage broking group Finsure were obtained from the ActivePipe real estate marketing platform,” an update on HaveIBeenPwned said on 19 November.
“The impacted data also included names, phone numbers, and physical addresses. The incident did not directly affect any of Finsure’s systems or expose any passwords or financial data.”
The exact number of what HaveIBeenPwned refers to as ‘compromised accounts’ is 296,124.
According to the update, the incident occurred on 15 October and Finsure has confirmed that some of its customer data has been impacted.
“We have recently provided a precautionary notification to a small number of brokers and customers about a cyber incident which recently affected our business,” a Finsure spokesperson told Cyber Daily.
“We were made aware of an incident where a cyber security researcher accessed marketing data on a third-party service provider’s platform via compromised credentials.”
Finsure said it has since worked with the third-party provider – presumably ActivePipe – and the issue has been resolved.
“We have worked with the third-party provider and cyber security experts to review the data on the impacted system. This investigation determined that the majority of data is limited to basic contact information, which is already in the public domain. There is no evidence of misuse or publication of any individual’s personal information," the spokesperson said.
Finsure reiterated that no credit card details, personal IDs, passwords, or financial information have been impacted.
“We remain committed to protecting the personal information of all individuals, and we sincerely apologise for any concern that this incident may have caused,” Finsure said.
While Finsure has said that the exposed data was publicly available – and is therefore not considered a notifiable data breach – the description of the leaked emails as “unique” by HaveIBeenPwned suggests that most, if not all, have not been listed on the site prior to this leak.
ActivePipe hits back at claims
ActivePipe has also responded to the claims made on HaveIBeenPwned and denied such a large number of emails were impacted by the incident.
“On November 6th, ActivePipe was informed by an aggregator partner that a cyber security researcher was able to access basic contact data on a third-party service provider’s platform due to compromised credentials,” ActivePipe said in a statement.
“We immediately commenced a comprehensive investigation of the issue with the API credentials immediately reset, and the aggregator partner contacting the impacted parties.
“At no point was the ActivePipe platform breached and no data for any other customers or integration was part of this issue. ActivePipe do not store or keep these credentials once given to the third party and we verify the credentials through an industry standard, one-way encryption mechanism.”
While the impacted data did include names, emails, phone numbers, and addresses, according to ActivePipe, the number of individuals impacted is far lower than that currently listed on HaveIBeenPwned.
“We have been advised that only 35 contacts had data within the system that required a precautionary communication from our aggregator partner. No passwords or financial data were exposed or are at risk of exposure,” ActivePipe said.
“In relation to the announcement made by Troy Hunt, we are investigating our legal options as we consider his communication misleading and damaging to our company’s reputation.”
The finance industry has been impacted by several data breaches and hacks in recent years, with lenders such as Firstmac and Latitude having been compromised in attacks.
Aggregators, lenders, and associations have all been providing education and support to the broking industry to help them protect their businesses from hacks and bolster their cyber security protocols.
*This story was updated on 27 November to include commentary from ActivePipe
JOIN THE DISCUSSION