Flagstar Bank has sent a notice to its more than 1.5 million customers that their personal data was accessed by hackers during a cyber attack in December 2021.
Flagstar Bank is one of the largest banks in the United States, headquartered in Michigan, with total assets exceeding $30 billion.
In December 2021, there was a security incident at Flagstar Bank, where attackers compromised the bank’s internal network. Since then, the bank has launched an investigation into the incident, and recently discovered that the attackers accessed sensitive information of many customers at the time, including names and social security numbers.
“Immediately following the attack, we activated our security incident response plan, hired external cybersecurity experts experienced in handling such incidents, and reported the matter to federal law enforcement,” the head of Flag Star explained. “As of now, we have not seen evidence of misuse of our customers’ information. However, out of an abundance of caution, we feel it is necessary to let customers know about this,” he said. Also he indicates that they didn’t do data protection well before, so it is the great mistake.
A total of 1,547,169 Americans were affected by the data breach, according to information filed with the Office of the Maine Attorney General.
As for further questions from the media, including what types of data may have been exposed, and why it took so long to discover the incident, Flagstar Bank has yet to give a positive response.
Previous security issues
This is the second major security incident at Flagstar Bank within a year.
In January 2021, the ransomware gang Clop exploited a zero-day vulnerability in the Accellion FTA server to compromise the bank’s servers.
The incident has affected numerous entities that do business with tech company Accellion Inc, including Bombardier, Singtel, the New Zealand Reserve Bank and Washington’s State Auditor office).
The leak resulted in Flag Star being blackmailed by the Clop gang, exposing its customers’ data to cybercriminals. Subsequently, the bank terminated its cooperation with the Accellion platform.
In that attack, the stolen data samples included customers’ names, social security numbers (SSNs), home addresses, tax records and phone numbers. Eventually, the data was all released to the outside world on Clop’s data breach website.