Most fintechs fail API security, risking sensitive payment data

Techday NZ

03-07-2025

New research conducted by Raidiam highlights significant weaknesses in API security across fintech companies, SaaS platforms, payments firms, and other enterprises operating outside regulated environments such as Open Banking.
The report, which assessed security practices at 68 organisations, reveals that 84% remain vulnerable due to insufficient API protections, even when dealing with sensitive or high-value data.
Widespread vulnerabilities
The research indicates that 85% of the surveyed organisations handle either payment data or special category personal data, yet only one met the benchmark for modern, cryptographic API protection. The study found that outdated or insufficient controls—such as the use of static API keys and basic OAuth secrets—prevail among most firms, leaving them open to exploitation. "We've all read the recent headlines; API security should not be an afterthought. The gap between the sensitivity of data and the strength of controls is a board-level risk – not just a technical issue," said David Oppenheim, Head of Enterprise Strategy at Raidiam.
Of the organisations surveyed, 57 out of 68 use bare API keys or basic OAuth credentials, mechanisms that have well-known security vulnerabilities. Less than half conduct regular API-specific penetration testing or runtime anomaly monitoring, measures deemed essential for identifying and addressing potential attack vectors in real time.
Real-world consequences
The report points to the 2023 Dell partner API breach as evidence that attackers are already actively exploiting these weak points in enterprise systems. These incidents underscore a growing risk for any entity exposing sensitive APIs without robust protective measures in place.
According to the report, a Security vs Sensitivity Matrix mapping exercise revealed a severe misalignment between the sensitivity of the data held and the strength of security controls implemented. This mismatch increases the likelihood and potential impact of security incidents. "We found that even firms handling payment and personal data still rely on static API keys and basic secrets. In today's threat landscape, that's the digital equivalent of leaving the vault door open," Oppenheim added. "In regulated environments like Open Banking, stronger controls like mutual TLS and certificate-bound tokens are already standard. Outside those frameworks, there's a gaping hole."
API risk in unregulated environments is becoming a prominent concern in the industry. In early 2025, the Chief Information Security Officer at JPMorgan Chase issued a public warning about rising vulnerabilities linked to third-party platforms, advocating for a shift towards prioritising security over rapid development.
Gartner statistics cited in the report indicate that API breaches tend to leak 10 times more data than traditional attacks. The report states, "This isn't theoretical — attackers are already in."
Recommendations for addressing risk
The report provides a four-step action plan for organisations seeking to bridge the gap between data sensitivity and protection. It recommends elevating API security to a board-level priority, modernising controls through cryptographic methods such as mutual TLS (mTLS) and sender-constrained access tokens, increasing investment in developer awareness and security testing, and working with trusted partners to accelerate adoption of proven standards and infrastructure.
Raidiam's expertise in secure digital data-sharing ecosystems is currently being made available to assist enterprise organisations in bringing API security standards up to date and closing the gaps identified by this research.
Follow us on:
Share on: