Flagstar Bank is alerting 1.5 million clients of a data breach in which hackers gained access to personal information during a cyberattack in December. Flagstar is a financial services company established in Michigan that is one of the country’s largest banks, with total assets of more than $30 billion.
Flagstar had a security problem in December 2021, according to data breach warnings provided to vulnerable clients, when attackers accessed the bank’s internal network. The bank learned on June 2nd, after an inquiry, that the threat actors had gained sensitive client information, including complete names and social security data.
“Upon learning of the incident, we promptly activated our incident response plan, engaged external cybersecurity professionals experienced in handling these types of incidents, and reported the matter to federal law enforcement,” explains the notice. “We have no evidence that any of the information has been misused. Nevertheless, out of an abundance of caution, we want to make you aware of the incident.”
Individuals who are affected will get two years of free identity monitoring and protection services from Flagstar. According to information filed to the Maine Attorney General’s Office, the data breach affected 1,547,169 persons across the country.
Flagstar was approached by the media with further questions, such as what categories of data were possibly exposed and why it took so long to detect the breach, but the response provided no more information. Flagstar and its clients have been the victims of two significant security incidents in the last year.
Clop, a ransomware group, penetrated the bank’s systems in January 2021 by leveraging a zero-day vulnerability in Accellion FTA servers. Bombardier, the New Zealand Reserve Bank, Singtel, and Washington’s State Auditor office were among the companies that did business with Accellion as a result of the event.
Flagstar Bank was extorted by Clop, its clients’ data was exposed to hackers, and the financial institution ended its partnership with the Accellion platform due to the incident. Clop’s data breach site finally released samples of stolen data, including names, SSNs, addresses, tax information, and phone numbers.