Pour yourself a dram of something smoky and settle in for the latest chapter in the ongoing soap opera of insider threats. A former FinWise employee gained access to American First Finance customer information, and now hundreds of thousands of people are being notified that their data wandered out of the organization’s hands. Great news, right? The vendor ecosystem will surely spin this as a triumph of controls and governance, because nothing says “we learned our lesson” like a press release with more buzzwords than actual fixes.
Top Story — What happened
The breach centers on an ex-employee who gained access to customer data after their employment ended. In other words, a classic offboarding slip that somehow never materializes into a real barrier between you and sensitive information. The result is a list of almost 689,000 affected individuals, a number that sounds impressive until you realize it could have been prevented with basic identity and access management discipline. The incident is being reported in SecurityWeek, which means we get the same parade of vendor-driven apologies and risk panels we see after every quarterly breach disclosure.
Why this keeps happening
Because inside every security program there hides a senior executive who believes offboarding is a ceremonial event rather than a hard, technical refactor. Privilege is granted and not audited; accounts stay live long after the user leaves; the access review meetings feel like a ghost tour with a PowerPoint, not a real control. Vendors clamor about zero trust as if saying the magic word will magically revoke access, and CISOs nod along while their teams juggle dashboards instead of actually revoking rights when people exit.
What you should do tomorrow
First, implement rapid revocation as soon as an employee leaves. If ex-access persists, your controls are decorative, not real. Second, harden third-party and contractor access with strict enrollment and timely de-provisioning. Third, retire the reliance on glossy executive dashboards and invest in authentic identity governance and continuous monitoring that works without a vendor sticker on every screen.
And if you still doubt the uphill battle, take a shot of whiskey and picture a world where the data you store is actually protected by the day you revoke it — not by policy documents that collect dust on a shared drive. 689,000 is not just a number; it is a reminder that the cost of weak access controls is paid in real people’s data and trust.
