Flagstar Bank disclosed a data breach that leaked the personal information of 1.5 million customers.
An investigation concluded on June 2, 2022, determined that hackers accessed sensitive information in the December 2021 incident. The bank said it had notified affected individuals, reported to federal law enforcement authorities, and initiated incident response plans.
Flagstar is a Bancorp subsidiary with over 150 branches in several states, including California, Indiana, Ohio, and Wisconsin. The bank owns assets valued at over $30 billion.
Hackers stole social security numbers in the Flagstar data breach
Flagstar filed a data breach notification with the Office of the Maine Attorney General as a mandatory disclosure when the number of residents impacted exceeds 1,000.
The company indicated that hackers accessed names and other personally identifiable information (PII) and Social Security numbers of 1,547,169 customers, including 1,028 Maine residents.
In a standard notification letter sent to customers, Flagstar said it initiated incident response protocols after detecting the network security breach.
“Upon learning of the incident, we promptly activated our incident response plan, engaged external cybersecurity professionals experienced in handling these types of incidents, and reported the matter to federal law enforcement,” Flagstar’s website stated.
The company indicated that its services were not impacted and continued to operate normally. Although it was too early to speculate at this time, Flagstar assured its customers that the stolen data had not been misused.
However, the bank advised its customers to be vigilant for potential fraud.
“We have no evidence that any of the information has been misused. Nevertheless, out of an abundance of caution, we want to make you aware of the incident,” the data breach notification letters sent to customers indicated.
The Michigan-based Flagstar bank also offered two years of free identity monitoring with Kroll to protect the data breach victims from identity theft. This cybercrime involves fraudsters exploiting these critical pieces of information to apply for loans, credit cards, or file taxes.
Flagstar advised the victims to monitor their financial statements closely. Additionally, they could request a free credit report and place a security freeze on their credit file. The two-year monitoring service will also include fraud consultation and identity theft restoration.
Flagstar also promised to harden its defenses by reducing vulnerabilities to prevent similar incidents in the future.
However, the bank did not disclose the data breach attack vector or whether the incident was a third-party breach or an internal vulnerability.
“Virtually every major security challenge from ransomware to insider threats requires one core element: access,” Tim Prendergrast, CEO of strongDM, said. “While much has been done to address physical security and application access, there is one glaring vulnerability: infrastructure access.
“This gap is critical, as getting access to infrastructure is the equivalent of getting the keys to the kingdom – as the ransomware incident at Flagstar Bank illustrates.”
Prendergrast advised CISOs to find ways of securing systems without impacting access in the absence of a centralized access management system.
Second data breach in less than 12 months
The December 2021 data breach occurred less than a year after a similar incident impacted the same number of customers.
The Accellion data breach affected 1.5 million Flagstar customers, forcing the financial institution to pay $5.9 million in out-of-court settlements. The incident was attributed to the Clop ransomware gang that published the stolen data, including customer names, phone numbers, social security numbers, and tax records.
However, Flagstar asserted that hackers did not compromise its internal systems during the Accellion data breach. Instead, they accessed information left on Accellion servers after the bank discontinued the platform. Flagstar Bank was among at least 100 companies impacted by the Accellion data breach.
According to Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, organizations should “take aggressive and proactive action to ensure that any vendor or supplier with access to their systems or data has appropriate controls in place for data protection including strong access controls, multi-factor authentication, encryption of data at rest, as well as robust auditing and alerting capabilities.”