Figure Technology confirmed Friday that it suffered a customer data breach after an employee was targeted in a social engineering attack.
“We recently identified that an employee was socially engineered, and that allowed an actor to download a limited number of files through their account,” Figure said in a statement shared with Decrypt. “We acted quickly to block the activity and retained a forensic firm to investigate what files were affected.”
Social engineering refers to when attackers manipulate employees through deceptive emails, calls, or messages to gain access to corporate systems, often by tricking them into sharing credentials or approving unauthorized requests.
While the spokesperson declined to go into further detail, a member of ShinyHunters reportedly told TechCrunch the breach was part of a broader campaign targeting companies that rely on single sign-on provider Okta. Other alleged victims included Harvard University and the University of Pennsylvania.
Figure said it is communicating with partners and impacted parties, as well as implementing additional safeguards.
“We are offering complimentary credit monitoring to all individuals who receive a notice,” the company said. “We continuously monitor accounts and have strong safeguards in place to protect customers’ funds and accounts.”
Figure's stock finished the day up 3.57% at a price of $35.29, though it has fallen 37% over the last month.
