Data breach hits 1 million Figure customers | American Banker

The Human Factor: How Social Engineering Exposed One Million Figure Customers

In an era where financial institutions invest millions in sophisticated cybersecurity infrastructure, a sobering reality persists: the human element remains the most vulnerable point in any security architecture. The recent breach at Figure, a blockchain-based lending platform, serves as a stark reminder of this fundamental truth. When the notorious ShinyHunters extortion group successfully compromised customer data affecting one million individuals, they didn't exploit zero-day vulnerabilities or brute-force encryption. Instead, they simply manipulated people.

This incident carries profound implications that extend far beyond Figure's immediate customer base. For financial services organizations navigating increasingly complex regulatory landscapes and third-party ecosystems, the breach offers critical lessons about operational resilience, vendor risk management, and the persistent challenge of defending against attacks that target human psychology rather than technological infrastructure.

Anatomy of a Social Engineering Attack

ShinyHunters, a cybercriminal group with a documented history of high-profile data thefts, employed social engineering tactics to gain unauthorized access to Figure's systems. The stolen data included customer names, addresses, and phone numbers—information that, while not including financial credentials, nonetheless represents a significant privacy violation and potential springboard for further attacks.

Social engineering attacks succeed because they exploit fundamental human tendencies: the desire to be helpful, the impulse to comply with apparent authority, and the assumption that requests coming through established channels are legitimate. Unlike technical exploits that can be patched or firewalled, these psychological vulnerabilities require fundamentally different defensive approaches—ones that many organizations still struggle to implement effectively.

The choice of target is equally revealing. Figure operates at the intersection of traditional finance and blockchain technology, representing the kind of innovative fintech platform that traditional financial institutions increasingly partner with to remain competitive. This positioning creates unique attack surfaces that may not be adequately addressed by conventional security frameworks designed for legacy banking infrastructure.

Regulatory Frameworks and the Human Element

The timing of this breach coincides with the implementation and evolution of comprehensive operational resilience frameworks across the financial services sector. The European Union's Digital Operational Resilience Act (DORA) and the updated Network and Information Security Directive (NIS2) both emphasize the importance of human factors in organizational security posture.

DORA specifically requires financial entities to implement comprehensive ICT risk management frameworks that include "human resources security" and "security awareness and training." The Figure breach demonstrates precisely why these requirements exist. Technical controls, no matter how sophisticated, cannot compensate for inadequate human-centric defenses.

Under these frameworks, organizations must demonstrate not merely that they have implemented security controls, but that these controls effectively address the full spectrum of threats—including those that target human judgment rather than technological vulnerabilities. The regulatory scrutiny following such incidents increasingly focuses on whether organizations have established robust verification procedures, conducted regular security awareness training, and implemented appropriate access controls that account for social engineering risks.

For financial institutions subject to these regulations, the Figure incident will likely prompt deeper examination of their own human-factor security measures. Regulators will want to understand how organizations validate the identity of individuals requesting access or information, what procedures exist to verify unusual requests, and how frequently staff receive training on current social engineering tactics.

Third-Party Risk in the Fintech Era

Perhaps the most significant implication of the Figure breach relates to third-party risk management. As traditional financial institutions increasingly collaborate with fintech platforms to offer innovative products and services, they inherit the security posture—and vulnerabilities—of their partners.

The blockchain lending sector represents a particularly complex risk landscape. These platforms often operate with different regulatory frameworks, technological architectures, and security cultures than established financial institutions. When a traditional bank partners with a company like Figure, it must assess not only the technical security of the blockchain infrastructure but also the human-factor controls that protect access to that infrastructure.

Existing vendor due diligence processes may not adequately capture these nuanced risks. Standard security questionnaires often focus on technical controls: encryption standards, network segmentation, intrusion detection systems. While these elements remain important, the Figure breach demonstrates that organizations must also rigorously evaluate their vendors' approaches to:

• Identity verification procedures: How does the vendor confirm that individuals requesting access or information are who they claim to be?
• Security awareness training: What programs exist to educate staff about current social engineering tactics, and how frequently is this training updated?
• Access request validation: What processes ensure that unusual or sensitive requests receive appropriate scrutiny before being fulfilled?
• Incident response capabilities: How quickly can the vendor detect and respond to social engineering attempts?

For financial institutions, the cascading liability exposure from vendor breaches creates significant operational and reputational risks. Customer trust, once compromised through a third-party incident, may prove difficult to restore. Regulatory penalties may apply not only to the breached vendor but also to partner institutions that failed to conduct adequate due diligence.

Contractual Complexity and Liability Allocation

The Figure breach also highlights important questions about contractual risk management in vendor relationships. When a breach results from social engineering rather than technical failure, determining liability becomes considerably more complex.

Traditional vendor agreements often include indemnification clauses that address data breaches, but these provisions typically contemplate technical compromises: unauthorized system access, malware infections, or infrastructure failures. Social engineering incidents occupy a gray area. If an employee is manipulated into providing access, has there been a failure of technical controls, inadequate training, or simply an unfortunate exploitation of human nature?

Organizations must examine whether their vendor contracts adequately address scenarios involving human manipulation. Key considerations include:

• Definition of security failures: Do contract provisions specifically encompass breaches resulting from social engineering, or do they focus primarily on technical vulnerabilities?
• Training requirements: Do agreements mandate specific security awareness training programs, with defined frequency and content standards?
• Notification timelines: Are vendors required to promptly disclose not only successful breaches but also attempted social engineering attacks that may indicate ongoing targeting?
• Cost allocation: How are expenses related to customer notification, credit monitoring, and regulatory penalties distributed between parties when breaches involve human factors?

The answers to these questions will significantly impact how organizations recover from incidents like the Figure breach, both financially and operationally.

Building Resilient Human-Centric Defenses

The persistent success of social engineering attacks demands a fundamental reassessment of how organizations approach security awareness and training. Traditional annual compliance training sessions, often experienced by employees as checkbox exercises, prove inadequate against sophisticated threat actors who continuously evolve their tactics.

Effective human-centric security programs require:

Continuous education: Regular, brief training sessions that address current threat tactics prove more effective than infrequent comprehensive training events. Organizations should implement ongoing awareness programs that adapt to emerging social engineering techniques.

Realistic simulation: Controlled phishing simulations and social engineering tests help employees recognize manipulation attempts in low-stakes environments, building muscle memory for real-world scenarios.

Psychological safety: Creating organizational cultures where employees feel comfortable reporting suspicious requests or admitting potential mistakes enables faster incident detection and response. Fear-based security cultures often drive incidents underground, allowing breaches to expand before discovery.

Verification procedures: Establishing clear protocols for validating unusual requests—particularly those involving data access or financial transactions—creates structural barriers against social engineering. These procedures must be simple enough for routine use while robust enough to catch sophisticated manipulation attempts.

Cross-functional responsibility: Security awareness cannot remain solely the domain of IT or compliance departments. Every organizational function, from customer service to executive leadership, must understand their role in maintaining security posture.

Looking Forward: Lessons for Financial Services

The Figure breach offers several critical lessons for financial services organizations navigating the complex intersection of innovation, regulation, and security:

Human factors demand equal investment: While technical security controls remain essential, organizations must allocate comparable resources to addressing human vulnerabilities through training, procedures, and culture development.

Third-party risk extends beyond technology: Vendor due diligence must rigorously evaluate human-factor controls, not merely technical infrastructure. The security posture of partner organizations directly impacts institutional risk exposure.

Regulatory expectations are evolving: Frameworks like DORA and NIS2 signal increasing regulatory focus on operational resilience that encompasses human elements. Organizations should anticipate heightened scrutiny of security awareness programs and verification procedures.

Innovation creates novel attack surfaces: As financial institutions partner with fintech platforms operating in emerging sectors like blockchain lending, they must develop risk assessment frameworks that capture the unique vulnerabilities these partnerships introduce.

Contractual protections require updating: Vendor agreements must explicitly address social engineering scenarios, establishing clear liability allocation and defining security expectations that encompass human-factor controls.

Conclusion

The compromise of one million customer records at Figure through social engineering tactics represents more than an isolated incident—it exemplifies a fundamental challenge facing modern financial services organizations. As institutions invest heavily in technical security infrastructure while simultaneously expanding partnerships with innovative fintech platforms, the human element remains a persistent vulnerability that sophisticated threat actors readily exploit.

For organizations operating under evolving regulatory frameworks that increasingly emphasize operational resilience and human-factor security, this breach serves as both warning and opportunity. It demonstrates the inadequacy of security approaches that prioritize technical controls while treating human awareness as an afterthought. Simultaneously, it offers a catalyst for organizations to fundamentally reassess their approach to security awareness, vendor risk management, and operational resilience.

The financial services sector stands at an inflection point. The integration of traditional banking with innovative technologies creates unprecedented opportunities for customer service and operational efficiency. Realizing these benefits while managing associated risks requires security frameworks that address the full spectrum of threats—including those that target the humans who ultimately access, manage, and protect sensitive data. The Figure breach reminds us that in cybersecurity, as in so many domains, people remain both our greatest vulnerability and our most important defense.