Figure Hit by Data Breach After Employee Falls for Hacker Trick

Figure got hacked. The blockchain lender said hackers grabbed customer data after tricking one of its workers in what security folks call a social engineering attack, and the company came clean about the mess on February 14.

Hackers broke into Figure’s systems and snagged sensitive customer information, though the company won’t say exactly what kind of data got stolen. Figure did say its main systems stayed safe, which is something. The breach happened when some employee got fooled into giving hackers access to the company’s networks – pretty much the oldest trick in the cybercrime playbook. Figure’s now scrambling to figure out how bad things really are and brought in security experts to help patch up their defenses.

Not great timing for Figure.

The company started calling customers to let them know what happened. Figure’s also handing out advice on how folks can protect themselves, though they’re being pretty vague about the whole thing. “Customer trust is paramount,” Figure said, which sounds nice but doesn’t really tell us much about what data got grabbed or how many people got hit.

Figure trades on public markets and focuses on blockchain-based lending, making it one of the bigger players in that space. The company keeps saying customer blockchain assets are fine, but that doesn’t help much if your personal info is floating around the dark web. Figure did the right thing and told regulators about the breach, and they’re working with authorities to sort this mess out. No word yet on when they’ll wrap up their investigation.

These kinds of breaches are happening more and more in finance. Companies can’t seem to keep hackers out, and Figure’s situation shows just how tricky it is to stay ahead of cybercriminals who are getting smarter every day.

Figure’s doing what companies always do after a breach – reviewing security protocols and looking for weak spots in their systems. They want to beef up their cybersecurity game so this doesn’t happen again. But honestly, that’s what every company says after they get hacked.

The company isn’t saying much about how many customers got affected or what specific information the hackers grabbed. Figure keeps promising updates as they learn more, and they’re telling customers to watch their accounts for weird activity. Standard stuff, really. See also: SEC Cracks Down on Prediction Markets.

Nobody from Figure’s C-suite has made any public comments yet. The investigation is still going on, which limits what they can say. And they’re probably waiting for lawyers and PR folks to figure out the best way to handle this without making things worse.

Jamie Smith, Figure’s spokesperson, talked to reporters on February 15. “The company is prioritizing transparency in its ongoing investigation,” Smith said. She added that while the breach sucks, Figure wants to do better at protecting customer data going forward. Smith didn’t give specifics about what went wrong or how they plan to fix it.

Figure’s thinking about making employees go through extra security training. They want workers to spot social engineering tricks before falling for them. The company plans to roll out this training by the end of March, assuming they can get their act together by then.

And Figure’s shopping around for outside cybersecurity firms to audit their systems. They want an independent review to find any other problems lurking in their networks. No word yet on which firm they’ll pick or how much they’re willing to spend on this cleanup.

Customers are freaking out about identity theft, which makes sense. Figure’s offering free credit monitoring for a year to try and calm people down. It’s a decent gesture, but it won’t help much if hackers are already using stolen data to open accounts or make purchases.

Figure called in the feds on February 16. They’re working with law enforcement to track down whoever pulled off this hack. Good luck with that – these cybercriminal groups are usually pretty good at covering their tracks. More on this topic: Trump Media Files for Crypto ETFs.

Alex Martinez, Figure’s Chief Security Officer, said the company moved fast once they found out about the breach. “The company’s immediate focus is on containing the breach and preventing any further unauthorized access,” Martinez said. He promised Figure won’t let this happen again, though that’s what security chiefs always say after breaches.

The hack got Figure looking at its vendors too. On February 17, they started checking whether outside companies they work with follow proper security rules. Smart move, since lots of breaches happen through third-party partners who don’t take security seriously enough.

Figure keeps sending updates to affected customers and telling them to stay alert. The company says it wants to be transparent about what happened, though they’re still pretty tight-lipped about the important details. Customers are stuck waiting for more information while hoping their personal data doesn’t end up for sale online.

The Federal Trade Commission has ramped up enforcement actions against financial firms following data breaches, issuing $50 million in fines last year alone. Figure’s incident adds to a growing list of blockchain companies targeted by sophisticated criminal networks, with crypto-focused firms reporting 40% more social engineering attempts than traditional banks.

Meanwhile, Figure’s stock price dropped 8% in after-hours trading on February 14 following the breach disclosure. Industry analysts worry that regulatory scrutiny could intensify as lawmakers push for stricter cybersecurity standards in the digital lending space. Senator Elizabeth Warren’s office has already requested briefings from three other fintech companies hit by similar attacks this quarter.