Figure Technology Solutions Confirms Data Breach Impacting Nearly 1 Million Customers

A major data breach has exposed around one million people’s personal details through Figure Technologies, a Blockchain-based financial technology firm that provides loans and other products and services.

The company has confirmed that the incident was the result of a social engineering attack where an employee was tricked into sharing access to sensitive files with an outside party.

The data exposure puts affected users at risk of identity theft, fraud, and other targeted scams.

Cybercriminals are believed to be selling the exposed data on the dark web, trading stolen personal information.

Criminals can leverage this information against the victims as part of a phishing attack or to impersonate them.

Security experts indicate this is becoming a much larger threat as fraudsters combine the dark web exposure and data stolen in previous data breaches.

What Happened in the Figure Data Breach

Figure Technology Solutions confirmed that hackers attacked and compromised its system in one of the company’s most significant data breaches, stealing information without exploiting any blockchain vulnerabilities.

Instead, the breach occurred because of social engineering techniques used to preclude or deceive employees into providing their login credentials and other access information.

According to reports, the data breach affected about 967,200 customers, granting unauthorized access to roughly one million user records, including sensitive information such as:

• Names
• Email addresses
• Telephone numbers
• Addresses
• Date of birth

This kind of sensitive data will provide cybercriminals with the capability to create effective phishing emails and impersonate consumers over the phone so that they may open credit accounts in the names of those individuals.

The hackers known as ShinyHunters have taken responsibility for this data attack (and other data leaks in previous cases). The group has targeted several companies through the use of social engineering, where they lure employees to give up their passwords, or by exploiting weaknesses in the security system. On their leak site, ShinyHunters published about 2.4 GB of stolen customer records, which they claim came from Figure’s databases.

A company spokesperson said Figure quickly stopped the activity and hired a forensic firm to determine which files were affected. The company also says it is notifying affected customers about the breach and offering free credit monitoring services to them as a precaution.

Why Social Engineering is a Big Problem

Regarding the attack on Figure, the perpetrator did not attempt to break into the software or gain unauthorized access through hacking, but rather turned to the less technical approach of social engineering. The method takes advantage of individuals’ innate sense of trust, which is often greater than their ability to understand the technical details associated with a computer attack. 

For example, the perpetrator may have called an employee pretending to be someone from the IT department, or have used some other manipulative tactic to persuade the employee to give him access to the employee’s machine to download confidential files. Once the perpetrator had access to the employee’s valid credentials, he could easily download and export valuable documents.

Due to the simplicity and ease of the methods, social engineering attacks are becoming increasingly more prevalent and widespread as they are a much easier alternative than finding a software vulnerability.

Cybersecurity researchers have found that attackers have successfully used social engineering in numerous high-profile data breaches. This makes training employees about scams and suspicious requests more important than ever.

Cybersecurity experts also point out that even systems built on blockchain technology, often marketed as secure and “unhackable,” are still vulnerable if attackers can get around authentication or target people instead of code. In this case, the blockchain’s cryptographic protections did nothing to stop the social engineering tactics.

What Affected Customers Should Do Now

If your information was part of the Figure breach, there are steps you should take right away to protect yourself:

• Confirm if Your Personal Data is at Risk. You can use dedicated services to check whether hackers have compromised your email or other personal information in past breaches. They will search different passwords against leaked password databases.
• Change Passwords and Enable Stronger Security. If you have used the same password in prior instances, please make a change immediately! All your passwords should utilize very strong, distinct characters with multi-factor authentication (MFA) active on your accounts. This helps provide another layer of security beyond just having a password to access your account.
• Monitor Financial Accounts Closely. Monitor your credit card accounts and banking accounts, often checking monthly statements for suspicious transaction activity. Even small, suspicious charges can signal fraudulent activity.
• Use a Credit Freeze or File a Fraud Alert. If you file and receive a frozen credit report from the four main credit bureaus, it will assist in limiting the number of new accounts that anyone can open in your name without consent.

As with any criminal activity, identity theft and fraud can cause irreparable harm. If you believe your personal information has compromised, act immediately to minimize potential damage.

The Federal Trade Commission (FTC) provides information about how to mitigate the effects of identity theft resulting from a data breach, including how to report a theft and recover from the breach or theft.

The breach at Figure should serve as an example of why all financial technology companies need to take steps to prevent attacks that focus on exploiting the human factor, and why customers should remain vigilant when trying to protect their own PII because today’s digital world is all about data.