Flagstar Bank Security Breach Exposed Personal Data Of 1.5M Customers To Hackers
The data breach occurred between December 3rd and December 4th, 2021. Flagstar noted that it “experienced a cyber incident that involved unauthorized access to our networks.” There are no further details at this time about the breach itself other than that Flagstar was quickly able to “secure its environment” and began to immediately investigate.
Unfortunately, the bad actors gained access to the personal information of over 1.5 million customers. This included data such as names and social security numbers. Flagstar uncovered the bad news earlier this month once its investigation concluded and sent a notification to the impacted customers. Flagstar has not provided an official statement other than the letters it sent to customers. It is unclear at the moment why the investigation took six months to complete and why Flagstar has waited so long to inform customers of the data breach.
Flagstar has assured customers, “We have no evidence that any of the information has been misused. Nevertheless, out of an abundance of caution, we want to make you aware of the incident.” The bank recommends that customers keep an eye on their accounts and report any suspicious activity to law enforcement, review their credit report, potentially place a fraud alert or security freeze on their account, check out identity protection programs, and generally be cautious about giving out personal information. Flagstar is also offering two years of identity monitoring and protection services through Kroll for free.
Flagstar Bank is one of the largest banks in the United States with over 150 branches and more than $23.2 billion USD in total assets. The data breach is therefore particularly concerning, especially as this is not the first time it has occurred. A ransomware group referred to as “Clop” was able to breach the bank’s servers in January 2021 by first breaching the servers of Accellion. Flagstar previously used Accellion’s legacy file-sharing program, File Transfer Appliance (FTA). Institutions such as Morgan Stanley were also affected by this particular breach.