Latest Data Breach At Flagstar Bank Puts 1.5 Million Customers At Risk Of Identity Theft
Flagstar Bank, a Michigan-based financial services provider and one of the largest banks in the United States, has recently begun notifying 1.5 million customers of a data breach that occurred during a December 2021 cyber attack.
According to data breach notifications sent to exposed customers, Flagstar experienced a security incident over a two day period in December 2021 when intruders breached the bank’s corporate network.
It wasn’t until June 2, 2022, a full six months after the breach, that an investigation discovered that the threat actors accessed sensitive customer details, including full names and social security numbers.
“Upon learning of the incident, we promptly activated our incident response plan, engaged external cybersecurity professionals experienced in handling these types of incidents, and reported the matter to federal law enforcement,” explains the notice.
“We have no evidence that any of the information has been misused. Nevertheless, out of an abundance of caution, we want to make you aware of the incident.”
Flagstar is providing free two years of identity monitoring and protection services to impacted individuals. What happens beyond that time frame is not clear.
Based on information submitted to the Office of the Maine Attorney General, the data breach affected 1,547,169 people in the United States.
Second Data Breach At Flagstar In Less Than A Year
This is the second major security incident to impact Flagstar and its customers in a year.
In January 2021, the ransomware gang Clop breached Accellion FTA servers by exploiting a zero-day vulnerability, resulting in an indirect compromise of Flagstar client and employee data.
This breach resulted in Flagstar Bank being extorted by Clop, its customers having their data exposed to cyber criminals, and the financial institute ending its collaboration with the Accellion platform.
Samples of stolen data, including names, SSNs, addresses, tax records, and phone numbers, were eventually published on Clop’s data leak site.
A lawsuit was recently filed against Flagstar on behalf of affected customers and you can learn about it here.