The week in breach news

North America

FinWise Bank

Not every attack comes from outside. Adding to the surge in insider threats in recent months, the U.S. fintech firm FinWise Bank has warned that its customer data may have been exposed following a malicious insider attack.

FinWise Bank, which provides banking services and technology solutions to financial organizations, revealed that a former employee may have accessed or acquired its customer data after leaving the firm. The Utah-based company confirmed that the personal data of 689,000 customers, including information such as full names and other undisclosed data elements, may have been compromised. Some of the exposed records belonged to American First Finance (AFF), a poor-credit lender that partners with FinWise to offer installment loans.

According to a filing with the Office of the Maine Attorney General, the incident occurred on May 31, 2024, but wasn’t detected until June 18 this year. In response, FinWise is offering all affected customers 12 months of free credit monitoring and identity theft protection.

This is the latest in a growing string of high-stakes malicious insider attacks. Earlier in May, Coinbase Global, Inc., an American cryptocurrency exchange, also suffered a similar incident when an overseas support staffer accepted a bribe and stole data belonging to nearly 70,000 customers.

North America

Michigan Department of Treasury

The Michigan Department of Treasury has urged residents to ignore unsolicited text messages from cybercriminals posing as the agency and demanding personal banking information.

On September 15, 2025, the department confirmed a widespread smishing campaign circulating across the state. The fraudulent texts, appearing to come from the agency, claim a refund has been processed and demand that taxpayers submit accurate payment details or risk forfeiting the refund. Officials stressed that the Treasury only communicates with taxpayers through official letters sent via the U.S. Postal Service and advised residents to delete any such texts immediately.

This isn’t the first case of smishing targeting Michigan state agencies. Back in April, the Department of Transportation issued a warning about scam texts impersonating E-ZPass and other toll systems, demanding fees and requesting credit card details.

North America

Stellantis (Jeep/Chrysler parent) vendor breach

Stellantis disclosed on Sept. 21, 2025 that a third-party provider supporting its North American customer-service operations experienced unauthorized access. Early findings indicate exposure of basic customer contact information (e.g., names, email addresses, phone numbers); Stellantis says no financial data, government ID numbers, or other highly sensitive personal data appear to have been compromised. The company has activated incident-response procedures, notified affected customers and regulators, and warned customers to be vigilant for follow-on phishing or social-engineering attempts. The investigation and vendor remediation are ongoing.

North America

Tiffany & Co.

American luxury jeweler Tiffany & Co. has notified more than 2,500 customers in the U.S. and Canada that hackers stole their personal information.

According to the company’s notification, a threat actor gained unauthorized access to Tiffany’s systems on or around May 12, 2025. The investigation found that the attacker obtained data tied to Tiffany gift cards, including names, email addresses, postal addresses, phone numbers, sales details, gift card numbers and PINs.

Tiffany is part of French luxury giant LVMH, which also owns brands like Louis Vuitton, Dior and Givenchy. Several LVMH brands, including Louis Vuitton, Dior and Tiffany, were recently caught up in a Salesforce intrusion campaign. It remains unclear whether the breach disclosed this week is linked to that campaign or if it represents a separate intrusion.

North America

Town of Bluffton, South Carolina

The Town of Bluffton has alerted residents and businesses on its mailing lists about a phishing attack that occurred on Friday, September 12.

Many recipients reported getting a malicious email with the subject line “Town of Bluffton.” The email included an attachment and directed users to enter an access code on a fake Microsoft Outlook login page. Officials clarified that the town never sends emails requesting access codes.

Fortunately, the town’s IT team acted quickly to contain the attack. Although the email was sent from a spoofed town address, the IT Department was able to recall the message and minimize impact.

North America

Pollard & Associates, Inc.

Pollard & Associates, Inc., a third-party administration firm specializing in independent retirement plans, has confirmed a data breach that impacted thousands of individuals.

The firm reported that suspicious activity was detected on its network on or around May 15, 2025. An investigation later revealed that an unauthorized actor copied files on or around April 8, 2025. A subsequent review determined on July 15 that the breach compromised sensitive personal and financial information belonging to at least 17,907 individuals. Exposed data included names, Social Security numbers and financial account information.

On September 16, the firm began mailing notifications to affected individuals. The breach has also been reported to the Attorneys General of Maine, Montana, Massachusetts and Vermont.