The cost of touching real customer data in a fintech engineering pipeline has gone up. Not steadily — in step changes, each one tied to a named enforcement action (the Equifax settlement, the Drizly order, the post-MOVEit FTC follow-ups), a breach disclosure (the MOVEit cascade running through hundreds of financial-services entities in 2023), or a regulatory amendment (the FTC's 2023 Safeguards Rule with its 30-day notice trigger) that reset the baseline. We've spent the first half of 2026 cataloging those step changes. This is the resulting landscape.
This document is intended as a reference for fintech compliance officers, engineering leaders, security and privacy teams, and the board members who fund their work. It aggregates publicly available enforcement and breach data from 2023–2025 (with early 2026 data where available), categorizes the underlying failure modes, and documents the controls that would have prevented or contained each category.
We've drawn on FTC enforcement filings, state Attorney General consent orders, SEC enforcement actions, FinCEN advisories, CFPB orders, OCC bulletins, and the public breach notification databases maintained by the Privacy Rights Clearinghouse and the HHS Office for Civil Rights.
The picture that emerges is not one of new threats. It is one of the same threats — phishing, third-party breach, insider misuse, weak authentication, unsecured backups — landing in a regulatory environment that increasingly assumes specific controls should have been in place.
Section 1 — The 2023 GLBA Safeguards Rule amendments reset the baseline
The Federal Trade Commission's amendments to 16 CFR Part 314, fully effective June 9, 2023, changed the GLBA Safeguards Rule from a principles-based framework into a prescriptive control list. The amended rule explicitly requires multifactor authentication, encryption of customer information at rest and in transit, written incident-response plans, regular penetration testing, vulnerability assessments, and the designation of a "Qualified Individual" to oversee the information security program. It also imposed a 30-day breach notification requirement to the FTC for incidents affecting 500 or more consumers.
The cumulative effect: if you operate a non-bank fintech in the United States and you suffered a breach in 2024 or 2025, the FTC has a much clearer enforcement template to use against you than it did pre-2023. Several actions have already been brought under the amended framework, and the published consent orders read like compliance manuals — the FTC is using the orders themselves to publish what "reasonable" looks like under the new rule.
Section 2 — The breach landscape, 2023–2025
We pulled the full set of publicly disclosed breaches from the Privacy Rights Clearinghouse database for the period covering 2023 through year-end 2025, then filtered for incidents at financial-services or fintech entities (banks, broker-dealers, RIAs, insurers, payment processors, lending platforms, wealth-tech, neobanks, and tax-prep providers).
A few patterns dominate the dataset:
Third-party / vendor breaches account for the largest single category. The MOVEit / Progress Software vulnerability in mid-2023 alone produced disclosure cascades into hundreds of financial-services entities, most of which had a single shared dependency they didn't know they had. The pattern repeated, smaller scale, with several payment-processor incidents in 2024. The lesson that's slowly settling in: your PII risk is the union of your own systems' risks and every vendor in your data path's risks, and your control over the second set is usually a contract clause and a SOC 2 report.
Phishing-driven account-takeover attacks against employees with access to customer data remain the most common single attack pattern. This is unglamorous and well-understood; it remains the most common because the controls that defeat it (FIDO2 hardware tokens, conditional access policies, just-in-time elevation) are operationally expensive and unevenly adopted.
Backup, log, and analytics environments are the most consistently overlooked surfaces. Multiple 2024 and 2025 breaches involved exposed S3 buckets, snapshot exports, or analytics warehouses containing customer data that the production application had reasonable controls around but the derivative environment did not. This is the specific failure mode the GLBA amendments now explicitly require firms to address.
Internal misuse, while a smaller share of disclosed breach counts, accounts for a disproportionate share of regulator-driven actions. When a breach involves an insider — even a contractor — the post-incident regulatory scrutiny is materially harder. The FTC, in particular, has signaled in its 2024 and 2025 actions that insider-driven incidents are evidence of a deficient access-control program rather than a one-off bad actor.
The cost per record is structurally rising. IBM's annual Cost of a Data Breach report shows financial-services breaches running 30–40% above the cross-industry average for several years running. In our own review of consent orders, the regulator-imposed component (civil penalty, restitution fund, ongoing audit cost) has been increasing roughly in step with the growth in private litigation costs.
Section 3 — The CFPB and state AG enforcement environment
A second front opened in 2024 and accelerated through 2025: state Attorneys General using state-level privacy laws (CCPA in California, SHIELD Act in New York, the Texas Data Privacy and Security Act, and several others) as the basis for enforcement actions against fintechs. The state framework is, in several respects, broader than the federal:
- State laws often define "personal information" more expansively than GLBA's "nonpublic personal information."
- State laws frequently impose private rights of action that GLBA does not.
- State laws sometimes have significantly tighter breach notification windows (Texas: 30 days; New York: "without unreasonable delay" with regulator notification triggers).
The result is that a national fintech serving customers in 50 states is potentially exposed to 50 different breach-notification regimes and several different private-litigation paths. Most fintechs we've reviewed have a single playbook calibrated to whichever regime they encountered first, which means they're materially under-prepared for whichever regulator gets there in the next incident.
The CFPB, separately, has continued to use its UDAAP authority to bring privacy-adjacent actions against fintechs — most notably in matters where customer data was used in ways the consumer disclosure didn't clearly contemplate. This is a different theory of harm than GLBA's "you didn't safeguard the data," and it applies to entirely intentional uses, not just incidents.
Section 4 — Where real customer data ends up in non-production environments
Across consent orders, breach notifications, and our own work with fintech engineering teams, real customer data ends up in non-production environments through a relatively small number of recurring paths:
For each of these paths, the structural alternative is the same: replace the real customer data with synthetic data that's calibrated to be representative without containing any real individual. This is not novel. What's novel is that the regulatory cost of not doing it has crossed a threshold for most fintechs.
Section 5 — What the cost of "do nothing" actually looks like in 2026
Pulling together breach-cost data, consent-order penalty data, and the operational cost of post-incident remediation produces an order-of-magnitude estimate for the all-in cost of a single breach involving customer financial data:
Direct response costs (forensics, legal, notification, credit monitoring, customer service): historically $1.5M–$8M for a mid-sized fintech, scaling roughly with affected-record count.
Regulatory penalties (FTC, state AGs, CFPB, banking regulators where applicable): historically $0–$50M+, with the modal post-2023 outcome for a serious GLBA violation in the $5M–$25M range.
Civil litigation (class actions, particularly in California under CCPA's private right of action): historically $5M–$200M+ depending on affected count and dataset sensitivity; settling for $20–$100 per affected record is now routine.
Operational remediation cost (mandated audit programs, control upgrades, additional staffing): typically $3M–$15M over the consent order period, plus ongoing.
Customer attrition and trust cost. Hard to quantify, well-documented in financial-services specifically. Several 2024 fintech breaches were followed by 15–30% account closure within 12 months at the affected firms.
Reputational cost in capital markets. For pre-IPO fintechs, a major breach has historically delayed liquidity events by 18–36 months when it has not eliminated them.
The typical mid-sized fintech breach in 2024–2025 cost the affected firm somewhere between $15M and $100M all-in. This is not a tail risk. It is a recurring annual expectation across the industry.
Section 6 — What the controls actually cost
The countervailing fact: the controls that prevent or contain most of these incidents are well-understood and decreasing in cost.
The control-cost-versus-incident-cost gap has widened dramatically in favor of the controls. Most fintechs we've reviewed in 2025 are substantially under-investing in the control side relative to the actuarially-expected breach cost on the other side. This is a budgeting question, ultimately, and one most boards have not yet had at the right level of seriousness.
Section 7 — The structural recommendation
Pulling all of this together, the structural recommendation for fintech leadership for 2026:
Six structural moves for 2026
- Inventory every place real customer data lives outside production. Most firms find 4–7 environments they had not previously catalogued.
- Replace real-customer-data dependencies in non-production environments with synthetic data — schema-preserving for derivative environments, archetype-driven for compliance / planning / ML coverage.
- Apply production-grade access, encryption, and monitoring controls to every environment you don't replace.
- Pre-position your incident response — the 30-day FTC notification clock starts at discovery, not confirmation.
- Audit your vendors specifically for the data-flow paths they create. Most disclosed third-party breaches involved vendor relationships the firm could not have explained to a regulator at incident time.
- Calibrate the board conversation. Quarterly review of synthetic-data, access-control, and incident-response posture. In most firms today this is annual at most, often delegated below the board.
The expected annual cost of doing nothing is now of a scale that boards should be reviewing the synthetic-data, access-control, and incident-response posture quarterly.
Methodology notes
This document aggregates publicly available data from FTC enforcement filings, state Attorney General consent orders, SEC enforcement releases, FinCEN advisories, the HHS OCR breach portal (for fintech-adjacent entities), the Privacy Rights Clearinghouse breach database, IBM's Cost of a Data Breach annual reports, and our own review of fintech consent orders 2023–2025. Filtering choices, category boundaries, and our interpretive synthesis are our own; the underlying datasets are publicly verifiable.
We have deliberately not named individual firms, attorneys, or specific consent-order docket numbers in this synthesis — both because the patterns are more useful than the cases, and because singling out specific actors creates a different document than the one we set out to write. Researchers and journalists interested in the underlying records will find them in the sources cited above.
We expect to update this document annually. If you'd like to be notified when the 2027 update is published, the easiest path is to create an account — we'll send a single email when the next version is out.
Key takeaways
- The amended GLBA Safeguards Rule (June 2023) is the largest single change to fintech PII compliance in a decade — and the FTC has begun publishing what 'reasonable' looks like via consent orders.
- Vendor / third-party breaches are the dominant single category since the MOVEit cascade; vendor management is where the most-cited deficiencies now live.
- Backup, analytics, and ML training environments are the most consistently overlooked surfaces — and the GLBA amendments treat them all as in-scope.
- State AG enforcement adds a second front; a national fintech is potentially exposed to 50 breach-notification regimes and multiple private-litigation paths.
- The actuarially-expected all-in breach cost ($15M–$100M) now structurally exceeds the cost of the controls and synthetic-data corpora that would prevent or contain most incidents.
Related reading:
- Why Faker, Mockaroo, and SDV aren't enough — the synthetic-data maturity curve
- Playbook: Migrating non-production environments from production data to synthetic
- GLBA Safeguards Rule data inventory & mapping checklist
- Synthetic Wealth Data vs. Anonymized Real Data
This document is general industry analysis intended for fintech compliance, security, and engineering leadership. It is not legal advice. Firms facing specific incidents or regulatory inquiries should consult qualified counsel.