Flagstar Bank discloses data breach impacting 1.5 million customers

Flagstar Bank is notifying 1.5 million customers of a data breach where hackers accessed personal data during a December cyberattack.

Flagstar is a Michigan-based financial services provider and one of the largest banks in the United States, having total assets of over $30 billion.

According to data breach notifications sent to exposed customers, Flagstar experienced a security incident in December 2021 when intruders breached the bank’s corporate network. 

After an investigation, the bank discovered on June 2nd that the threat actors accessed sensitive customer details, including full names and social security numbers.

“Upon learning of the incident, we promptly activated our incident response plan, engaged external cybersecurity professionals experienced in handling these types of incidents, and reported the matter to federal law enforcement,” explains the notice.

“We have no evidence that any of the information has been misused. Nevertheless, out of an abundance of caution, we want to make you aware of the incident.”

Flagstar is providing free two years of identity monitoring and protection services to impacted individuals.

Based on information submitted to the Office of the Maine Attorney General, the data breach affected 1,547,169 people in the United States.

Bleeping Computer contacted Flagstar with further questions, including what types of data have been potentially exposed and why it took so long to discover the breach, but the response didn't provide any additional details.

Previous security troubles

This is the second major security incident to impact Flagstar and its customers in a year.

In January 2021, the ransomware gang Clop breached Accellion FTA servers by exploiting a zero-day vulnerability, resulting in an indirect compromise of Flagstar client and employee data.

That incident affected numerous entities doing business with Accellion, including Bombardier, Singtel, the New Zealand Reserve Bank, and Washington’s State Auditor office.

This breach resulted in Flagstar Bank being extorted by Clop, its customers having their data exposed to cybercriminals, and the financial institute ending its collaboration with the Accellion platform.

Samples of stolen data, including names, SSNs, addresses, tax records, and phone numbers, were eventually published on Clop’s data leak site.