Finsure

Summary

On 15 October 2024, Australian mortgage broking group Finsure experienced a data breach affecting 296,124 customers and brokers when compromised credentials allowed unauthorized access to marketing data on third-party platform ActivePipe. The breach was publicly disclosed on 19 November 2024 through Have I Been Pwned. Compromised data included names, phone numbers, physical addresses, and email addresses, though Finsure confirmed no passwords or financial data were exposed. The incident did not directly affect Finsure's systems.

What Happened

A cybersecurity researcher gained access to Finsure's marketing data stored on ActivePipe, a real estate marketing platform used by the mortgage broker, using compromised API credentials. The unauthorized access occurred on 15 October 2024 but was not publicly disclosed until 19 November when Have I Been Pwned added the compromised email addresses to its database.

ActivePipe immediately reset their API credentials upon discovering the incident. Finsure's investigation determined the breach was limited to basic contact information—names, email addresses, phone numbers, and physical addresses—much of which was already in the public domain through marketing channels.

Impact on Individuals

The breach affected nearly 300,000 Finsure customers and affiliated brokers. The exposed contact information created risks for phishing campaigns and spam but did not include sensitive financial data, passwords, or identity documents that would enable direct financial fraud or identity theft.

Organisational Response

Finsure confirmed the cyber incident and stated there was no evidence of misuse or publication of individual personal information. The company worked with ActivePipe to remediate the credential compromise and reset access controls.