Flagstar Bank Breach Affects 1.5 Million CustomersBank Discovers Breach 6 Months After Attack; Second Such Incident in 2 Years
A bank that numbers among America's largest issuers of home mortgage loans is telling customers it was hacked late last year and just this month detected the data breach.
More than 1.5 million individuals are affected by the incident, Michigan-based Flagstar Bank tells regulators in Maine.
Hackers took names or other personal identifiers along with matching Social Security numbers. Officials from the publicly traded financial institution say there's no evidence of the data being misused and the bank's services continue to operate normally.
An unidentified threat actor gained unauthorized access to the bank's systems sometime around last Dec. 4 or Dec. 5. It wasn't until June 2, following "an extensive forensic investigation and manual document review," that bank officials discovered the breach.
"We take the security of our network and the personal information entrusted to us with the utmost seriousness," the bank told Information Security Media Group in a statement.
The bank is offering affected customers two years of free credit monitoring and identity theft restoration services.
Two Incidents in Two Years
This latest breach comes just 14 months after hackers exploited an vulnerability in legacy file transfer software to access Flagstar files containing customer and employee data (see: Accellion Data Breach Ensnares Energy Giant Shell).
The leaked data included names, phone numbers, addresses and Social Security numbers. Flagstar warned its customers that the threat actors responsible were contacting bank customers by email and telephone to scam them.
Days later, the Cl0p ransomware gang published employee information on its leak website as well as screenshots of tax and mortgage documents, presumably belonging to the bank's customers.
In September 2021, Flagstar agreed to pay $5.9 million to settle a class action lawsuit filed on behalf of 1.48 million affected consumers. As part of the settlement, the bank pledged "various enhancements" to its third-party vendor risk management program. Victims of the data breach could choose between three years of credit monitoring and identity theft insurance or a one-time cash payout of well below $1,000. Victims with verifiable financial loses could obtain reimbursements of up to $10,000.
Other victims of the same vulnerability, found in products made by California-based secure file-sharing company Accellion, include the Washington State Auditor's Office; the Australian Securities and Investments Commission, Australia’s financial regulator; the Reserve Bank of New Zealand; the University of Colorado and the supermarket chain Kroger.
A Lesson in Cybersecurity
Data from this round of Flagstar data breaches appears to not have been misused so far, but it's "not uncommon for attackers to wait for just the right time to exploit the data they've breached," says Neil Jones, cybersecurity evangelist at Egnyte.
He adds that organizations can protect themselves against such incidents by:
- Combining data security with effective ransomware detection and intrusion prevention and detection initiatives;
- Implementing effective processes to manage zero-day threats, especially when PII is stored in critical production servers;
- Conducting frequent technological audits to prevent exploitation of vulnerabilities.