FinSecLedger
Breach Analysis10 min read

Byzfunder Breach: Fintech SSN Exposure Affects 1,719 Individuals

Byzfunder NY LLC breach analysis: a 20-day unauthorized access window in a cloud software system exposed names and Social Security numbers for 1,719 people.

By FinSecLedger
Records: 1,719
Vector: unauthorized access
Status: confirmed
Occurred: Sep 1, 2025Discovered: Sep 19, 2025Disclosed: Sep 1, 2025
Exposed:NamesSSN
Sources:California AG

Byzfunder NY LLC, a fintech company based in West Sacramento, California, has disclosed a data breach affecting 1,719 individuals after unauthorized access to one of its cloud-based software solutions persisted for 20 days. The California Attorney General filing confirms that names and Social Security numbers were the data categories at risk. Byzfunder detected the suspicious activity on September 19, 2025, but the unauthorized access had begun as early as September 1, running undetected for nearly three weeks before the company's security monitoring flagged it.

The breach is relatively small by volume -- 1,719 records is a fraction of what major financial institution breaches produce. But the data type makes it significant. SSNs paired with names are the building blocks for new account fraud, tax refund theft, and synthetic identity schemes. For 1,719 individuals, this breach creates a permanent identity theft risk that outlasts any monitoring subscription.

Timeline of Events

September 1, 2025: Unauthorized access to a Byzfunder software solution began. The notification letter describes this as "certain files" that "may have been accessed or acquired without authorization," and the language "accessed or acquired" indicates the company could not definitively determine whether files were only viewed or were also exfiltrated.

September 19, 2025: Byzfunder detected suspicious activity within the affected software solution. The company initiated an investigation and engaged external cybersecurity specialists. The 18-day gap between initial access and detection is concerning for a cloud-based system, where logging and monitoring capabilities are typically built into the platform.

September 20, 2025: The unauthorized access ended, the day after detection. Whether Byzfunder's response terminated the access or the timing was coincidental is not stated, but the proximity suggests the company's incident response shut the door.

November 12, 2025: Byzfunder completed its review of the affected files and determined that personal information -- specifically names and SSNs -- was present in the compromised data.

November 19, 2025: Notification letters were mailed to affected individuals, 80 days after the initial intrusion. For a breach involving only two data fields (name and SSN), the 54-day gap between discovery and notification is largely attributable to the data review process -- confirming which individuals' SSNs were in the accessed files.

The timeline raises a question about the September 1-19 detection gap. Cloud software solutions generate audit logs, access logs, and API call records that, if properly monitored, should surface unauthorized access patterns within hours, not weeks. An 18-day blind spot suggests either insufficient log monitoring, overly permissive access controls that made the unauthorized activity blend in with legitimate use, or a combination of both.

What Data Was Exposed

The breach is narrow in scope but high in severity. Only two data elements were compromised:

  • Names -- enabling the attacker to associate SSNs with specific individuals
  • Social Security numbers -- the most sensitive and permanent personal identifier in the U.S. financial system

There is no mention of dates of birth, addresses, financial account numbers, or other supplementary data. That limitation actually reduces the immediate utility of the stolen data for certain fraud types -- opening a credit card account typically requires name, SSN, DOB, and address -- but SSNs paired with names are enough to file fraudulent tax returns, create synthetic identities when combined with fabricated details, or sell on dark web markets where buyers supply the additional data points from other sources.

Byzfunder is offering IDX identity protection services with 12 to 24 months of credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully managed identity theft recovery services. The enrollment deadline was February 19, 2026.

How the Attack Happened

The notification letter describes the vector as unauthorized access to "one of the Byzfunder software solutions" -- language that points to a cloud application or SaaS platform rather than a traditional on-premises network intrusion. Byzfunder characterizes this as "an isolated event," suggesting the compromise was limited to a specific application rather than a broader infrastructure breach.

Several attack patterns fit this description. Credential compromise -- whether through phishing, credential stuffing, or leaked credentials from another breach -- is the most common entry point for cloud application breaches. API exploitation, where an attacker discovers and abuses poorly secured API endpoints, is another possibility. Misconfigured access controls, such as an overly permissive storage bucket or a publicly accessible admin interface, could also explain how an unauthorized party maintained access for 20 days without triggering alerts.

The reference to "files" being accessed indicates the compromised software solution contained document storage or file management capabilities. Fintech platforms frequently store loan applications, identity verification documents, and compliance records as files -- and those files contain exactly the kind of data (names and SSNs) that this breach exposed.

This pattern of cloud application compromise is consistent with trends across the fintech sector. The Gravity Payments breach, disclosed in January 2026, involved unauthorized access to a CRM system that exposed 2,278 records. The First Atlantic Capital breach, filed the same month, resulted from hacking that compromised 1,582 records including SSNs. Small to mid-size fintech companies frequently rely on cloud platforms that provide powerful functionality but require careful configuration to secure -- and misconfigurations are among the leading causes of cloud data breaches.

Who Is Affected

The 1,719 affected individuals had their data processed through Byzfunder's software solution. The notification letter was sent to residents across at least ten states and D.C., including California, Maryland, Oregon, New York, Rhode Island, Iowa, Kentucky, North Carolina, and Washington D.C.

Byzfunder operates in the fintech space, and its name and structure suggest involvement in business funding or lending. Companies in this sector collect SSNs during the application process for identity verification and credit checks. The affected individuals are likely loan applicants, business owners who applied for funding, or merchants whose data was processed through Byzfunder's platform.

For these individuals, the breach notification may be the first time they encounter the Byzfunder name. Fintech lending platforms often operate as white-label or behind-the-scenes providers -- a business owner applies for funding through a broker or marketplace, and their application data flows to companies like Byzfunder for processing. The applicant's relationship is with the front-end broker, not the back-end funder. This disconnect, common across our breach tracker, means people learn their data was compromised by a company they never directly engaged with.

Regulatory Implications

As a fintech company handling consumer financial data, Byzfunder falls under the Gramm-Leach-Bliley Act (GLBA) and the FTC's Safeguards Rule. The updated Safeguards Rule, effective since June 2023, requires financial institutions to implement specific security measures including access controls, encryption, multi-factor authentication, and continuous monitoring of information systems. A 20-day unauthorized access window in a cloud application raises questions about whether Byzfunder's monitoring and access controls met these standards.

California's breach notification law requires disclosure "in the most expedient time possible and without unreasonable delay." Byzfunder's 80-day timeline from initial breach to notification -- with a 54-day stretch from detection to notification -- is within the range that most state laws permit, though the trend in state legislatures is toward shorter, more explicit deadlines.

New York's SHIELD Act imposes data security requirements on any entity holding New Yorkers' private information, regardless of where the company is based. The SHIELD Act requires "reasonable" administrative, technical, and physical safeguards, and the specifics of what constitutes reasonable safeguards for a fintech company handling SSNs in cloud applications is an area where enforcement actions are establishing precedent.

The CFPB has supervisory authority over certain fintech lenders under the Dodd-Frank Act. Whether Byzfunder meets the thresholds for CFPB examination depends on its loan volume and market activity, but the broader point holds: fintech lenders face a patchwork of state and federal oversight that often leaves gaps in cybersecurity accountability.

The Bigger Picture

Byzfunder's breach fits a pattern that FinSecLedger has tracked across multiple fintech incidents: small companies holding sensitive data in cloud systems that lack the security maturity of larger financial institutions. The 1,719-record count is modest, but multiply that pattern across dozens of fintech companies operating with similar security postures and the aggregate exposure is substantial.

The fintech sector's growth has outpaced its security investment. Companies focused on speed to market and customer acquisition often treat security as a post-launch concern. Cloud platforms provide convenience and scalability, but they also create a false sense of security -- the cloud provider secures the infrastructure, but the customer is responsible for securing the data and access controls within it. The shared responsibility model breaks down when fintech companies lack the security expertise to hold up their end.

The Cybersecurity and Infrastructure Security Agency (CISA) has published guidance on securing cloud environments that applies directly to companies like Byzfunder, including implementing phishing-resistant MFA, enabling comprehensive logging, and conducting regular access reviews. For fintech companies handling SSNs, these are not optional best practices -- they are baseline requirements under GLBA.

As we noted in our CNA Continental Casualty analysis, the financial services supply chain is only as strong as its weakest participant. Byzfunder's breach may affect 1,719 people directly, but it reinforces a systemic concern: the growing ecosystem of fintech platforms processing sensitive financial data with security controls that do not match the sensitivity of the data they hold.

Action Items

For affected individuals:

  1. Enroll in IDX monitoring immediately if you have not already done so. Call (833) 781-8320 or visit the enrollment portal with your activation code. Note: the February 19, 2026 enrollment deadline has likely passed -- contact IDX to confirm whether late enrollment is possible.

  2. Place a credit freeze with Equifax, Experian, and TransUnion. With your name and SSN exposed, this is the single most effective step to prevent new account fraud. Freezes are free and can be temporarily lifted when you need to apply for credit.

  3. Request an IRS Identity Protection PIN at irs.gov/ippin. SSN exposure creates direct risk of fraudulent tax return filing. The IP PIN blocks unauthorized returns filed under your SSN.

  4. Monitor your credit reports through annualcreditreport.com. With only name and SSN compromised (no DOB or address), an attacker would need to obtain those details from another source before opening accounts -- but that combination is readily available on dark web marketplaces.

For fintech companies:

  1. Enable comprehensive audit logging on all cloud-hosted applications that process personal data. If unauthorized access persists for 18 days before detection, the logging and alerting configuration needs to be re-evaluated.

  2. Implement just-in-time access controls for cloud systems containing SSNs. Rather than granting persistent access to file stores, require elevated access to be requested and time-limited.

  3. Conduct a cloud security posture review against CISA's cloud security guidance and the GLBA Safeguards Rule. Focus on MFA enforcement, network segmentation within cloud environments, and encryption of data at rest.

  4. Minimize SSN retention. Once identity verification is complete and any regulatory hold periods have expired, purge SSNs from active systems. Data that no longer exists cannot be breached.

Tags:breachfintechssncloud-securitycalifornia

Related Analysis

Byzfunder NY LLC Data Breach Analysis
6 min read
MoneyBlock (AOS Inc.) Breach Exposes SSNs, Passports, and Financial Data
8 min read
Prosper Marketplace Database Breach: Unauthorized Queries Exfiltrate Borrower Data for Three Months
16 min read
Main Electric Supply Breach Exposes SSNs and Credit Card Data
11 min read