35up risk score

Section 1: Company Overview
35up is a financial services and fintech participant that provides a mix of consumer and commercial financial products and data-driven services. Operating in heavily regulated markets, the company connects customer financial information with service platforms and handles sensitive personally identifiable and financial data. Because of its role in payments, account access, or wealth services (as applicable), 35up must meet strict regulatory and operational security requirements; protecting data confidentiality, integrity, and availability is central to its business continuity and reputation.

Section 2: Historical Data Breaches
35up’s public security history shows multiple incidents that exposed weaknesses in third-party controls, legal handling, and internal governance. One early incident involved unauthorized use of an access credential held by an outside bureau, which allowed retrieval of several thousand consumer records; after investigation, the scope was reduced but authorities were engaged. In a separate episode tied to legal discovery, a large batch of client documents—containing names, tax identifiers, portfolio details, and advisor notes—was disclosed without robust protection, creating substantial privacy exposure. More recently, 35up experienced internal data leakage when an employee forwarded confidential customer files to personal email, affecting roughly 10,000 accounts. Across these events, the company’s responses have included notifying affected customers, engaging law enforcement or regulators, and taking personnel actions.

Section 3: Recent Security Breach
The most recent notable incident at 35up was an internal-control failure in June 2023. An employee transmitted customer-sensitive information to a personal account, leading to the compromise of approximately 10,000 customer records. This was an insider-driven exposure rather than an external intrusion. 35up responded by terminating the employee, alerting impacted clients, increasing monitoring of the affected accounts, and revising some internal procedures. The breach highlights persistent challenges with data access controls, outbound data monitoring, and enforced handling policies.

Section 4: Evaluation of Digital Security
A technical assessment of 35up’s security posture indicates material shortfalls relative to recommended benchmarks. Key findings include a substantial volume of phishing and malware weaknesses (approximately 1,000 identified), a single network-security issue suggesting a remedial gap, and pervasive website configuration problems—about 1,866 issues, nearly all tied to SSL/TLS misconfiguration. Credential hygiene is a pronounced concern: roughly 15% of employees were observed reusing previously breached passwords, and about 16,390 corporate credentials were flagged as compromised. The aggregate security score produced by the evaluation is 71/100, reflecting significant room for improvement.

These findings imply several technical and operational vulnerabilities:
- SSL/TLS misconfigurations greatly increase the risk of interception and downgrade attacks against web properties and APIs; immediate remediation of certificate chains, supported cipher suites, and HSTS policies is required.
- High counts of phishing/malware vulnerabilities point to insufficient end-user protections and email/web gateway tuning; targeted anti-phishing controls, advanced email filtering, and endpoint detection must be prioritized.
- Large numbers of compromised credentials and password reuse reflect poor identity hygiene. Deploying organization-wide multi-factor authentication (MFA), credential rotation, and password manager adoption should be urgent.
- Insider risk controls need strengthening: data loss prevention (DLP), strict least-privilege access, robust logging, and automated outbound-data controls would mitigate repeat incidents.

Regulatory and legal processes also need attention. The prior legal-disclosure event demonstrates the necessity of secure channels for sharing sensitive materials (encrypted upload portals, controlled e-discovery workflows) and stricter vendor and third-party access governance.

Conclusion: Is 35up Safe?
35up’s historical breaches and the current assessment indicate material security gaps that elevate financial, reputational, and privacy risk. Immediate priorities should include closing SSL/TLS and website misconfigurations, forcing password resets and rolling out MFA, deploying DLP and stronger insider controls, and hardening email and endpoint defenses. Conduct an independent security audit, implement continuous monitoring and incident response tabletop exercises, and notify regulators and customers per applicable law. With these actions, 35up can reduce near-term exposure and restore stakeholder confidence.