Flagstar Bank is the latest victim of a series of attacks that abuse an Accellion software zero-day vulnerability. Flagstar Bank has now stopped using the platform soon to be phased out.
The US-based bank, headquartered in Michigan, is a subsidiary of Flagstar Bancorp and one of the largest residential mortgage servicers, and one of the largest banks in the United State.
Accellion’s File Transfer Appliance (FTA) is a widely used file-sharing program. Though it has been discontinued and supplanted by other software such as Kiteworks, a zero-day vulnerability in the legacy software has been exploited by attackers since December.
Among a hundred victims, there are Qualys, the Reserve Bank of New Zealand, Transport for New South Wales (TfNSW), and the Australian Securities and Investments Commission (ASIC).
In a statement posted on its website, Flagstar Bank says that the bank first learned about a security issue from Accellion on January 22, 2021. Answering a question from one client as to why iy didn’t notify clients sooner, the bank said “investigations of this nature take time and the results are not instantaneous.”
“After Accellion informed us of the incident, Flagstar permanently discontinued use of this file sharing platform,” Flagstar Bank says.
However, Flagstar Bank learned this decision came a little too late, as they learned that the unauthorized party accessed some of Flagstar’s information on the Accellion platform and that it’d become one of numerous Accellion clients who fell victims to cybercriminals.
In an email sent to a customer on March 6, ZDNet reports, Flagstar Bank wrote it “acted immediately to contain the threat and have engaged a team of third-party forensic experts to investigate and determine the full scope of this incident.”
The bank’s operations had not been impacted, as the Accellion platform was “segmented” from the core banking and mortgage systems.
Flagstar Bank did not offer any information as to the number of customers who have suffered in the leak, or what records may have been compromised. The bank added that anyone thought to be involved will be contacted via mail and “will receive information regarding free credit monitoring services.”
The bank promised they are working as fast they can to ensure “a thorough, diligent review and are committed to providing updates” once they have them.
