Australian mortgage group Finsure reports third-party data breach
Learn More
Australian mortgage broking group Finsure reports a data breach that occured at their third-party service provider ActivePipe, a real estate marketing platform.
The incident occurred on October 15, 2024, and led to the exposure of customer and broker marketing data. The cause of the breach has been identified as compromised credentials that allowed a cybersecurity researcher to access marketing data on a third-party service provider's platform. ActivePipe has confirmed that their API credentials were immediately reset following the discovery of the incident.
Exposed data types:
- Names
- Email addresses
- Phone numbers
- Physical addresses
The scope of the incident is currently disputed. According to Have I Been Pwned, a database of compromised credentials maintained by security researcher Troy Hunt, 296,124 unique email addresses were exposed. However, ActivePipe claims that only 35 contacts required precautionary communication. Finsure has described the number of affected individuals as "a small number of brokers and customers."
No financial impact has been reported, and according to both Finsure and ActivePipe, no sensitive financial information was compromised like passwords, personal IDs or payment card or financial information.
Finsure claims the exposed data was already publicly available and that the incident is not considered a notifiable data breach. Contrary to that, Have I Been Pwned's classification of the email addresses as "unique" suggests these addresses had not previously appeared in other known data breaches.
ActivePipe has stated they are investigating legal options regarding Troy Hunt's communication, which they consider "misleading and damaging" to their company's reputation.
