Flagstar, a bank based in Michigan that was hacked by a ransomware gang, has notified its customers that their Social Security Numbers, home address, full name, phone number, and home address had leaked to ransomware hackers.
Even people who never had an account with the bank or had one years ago received the bad news, several victims told Vice’s Motherboard.
The attackers exploited the flaws in soon-to-be-defunct Accellion Orion software.
Two weeks ago, the bank published a disclosure about the late January hack but didn’t disclose details about the data breach at the time. Previously, it told that SSNs of its own employees had been stolen.
“On March 6, 2021, we determined that one or more of the documents removed from the Accellion platform contained your Social Security Number, First Name, Last Name, Phone Number, Address,” Flagstar said.
A spokesperson for Flagstar refused to say how many customers lost their social security numbers.
To all impacted customers, the bank offers a subscription with Kroll to provide identity monitoring at no cost for two years.
Gregory Austin, one of the victims, has never been a Flagstar customer but still his SSN had been stolen. Austin claimed that a bank that he got his mortgage from sold it to Flagstar without his consent in 2019.
“I hate that a company can just give my information to another company without my input,” Austin told Motherboard in an online chat.
Another victim of the hack, a woman who wanted to remain anonymous, said she closed her account with Flagstar a decade ago, yet the bank kept her details on file that later got stolen by the hackers.
A hacking group Cl0p demanded a ransom from Flagstar two weeks ago. Obviously, Flagstar refused to comply with the demands of the ransomware gang and the gang released its customers’ private information.