Hacker in glasses breaking code showing MOVEit data breach

Flagstar Bank Suffers a MOVEit Data Breach Impacting Over 800,000 Customers

Flagstar Bank has disclosed a third-party data breach that leaked sensitive personal information of over 800,000 US customers.

The Troy, Michigan-based bank said its payment processing and mobile banking services provider, Fiserv, suffered a MOVEit data breach, ultimately leaking customer data.

“The incident involved vulnerabilities discovered in MOVEit Transfer, a file transfer software used by our vendor to support services it provides to Flagstar and its related institutions,” Flagstar Bank told its customers.

With assets worth over $31 billion and annual revenue of over $1.9 billion, the New York Community Bank-owned financial services company is one of the largest banks in the United States.

Social Security Numbers leaked in the Flagstar Bank data breach

Flagstar said the data breach occurred between May 27 and 31, 2023, when the vulnerability was still publicly unknown, and was detected on June 3, 2023.

By then, threat actors had copied and transferred some files from the compromised file transfer system. The stolen files included customer information, which varied between individuals.

Subsequently, the third-party service provider investigated the incident, identified the victims, and patched the vulnerable system according to the developer’s guidelines.

In a regulatory filing with the Office of the Maine Attorney General, Flagstar Bank disclosed that the data breach exposed names and other personal identifiers, including Social Security Numbers (SSNs) of  837,390 individuals.

However, the Flagstar Bank data breach never compromised the company’s internal IT systems or disrupted banking operations. Uncertainty remains about whether the Clop ransomware gang demanded a ransom to avoid publishing or misusing the stolen customer information.

Although Flagstar has no evidence that the threat actors had misused the information, the bank offered two years of complimentary free identity monitoring services with Kroll to protect victims from fraud. Under that plan, victims are entitled to credit monitoring, fraud consultation, and identity theft restoration services.

Meanwhile, the financial services institution advised customers to monitor their transactions and account statements for unauthorized activity.

Worryingly, Fiserv serves hundreds of financial institutions, which could be at risk of exposing sensitive customer information. German banks Deutsche Bank AG and Majorel Germany have confirmed MOVEit data breaches in unrelated incidents.

“The interconnected nature of the financial industry means that breaches at third-party providers, like MOVEit and Fiserv, can have cascading effects, impacting not only a single institution but potentially an entire sector,” said Paul Valente, CEO & Co-Founder of VISO TRUST. “That’s why collective efforts and strategic automation and nth party intelligence are crucial in enhancing overall cybersecurity resilience.”

By October 13, 2023, the MOVEit data breach had affected over 2,500 organizations worldwide, collectively impacting over 64 million individuals, according to the New Zealand-based threat intelligence firm Emsisoft.

Flagstar Bank has suffered numerous recent data breaches

Flagstar Bank has suffered numerous data breaches in the last three years. In March 2021, the financial services company leaked the personal data of over 1.6 million US customers after the Clop ransomware gang exploited the Accellion file transfer server security vulnerabilities.

The cybercrime gang compromised over 100 organizations worldwide, including Harvard Business School, Singtel, Jones Day, Goodwin Procter, and the City of Toronto.

The Flagstar Accellion data breach exposed customer and employee information, including names, addresses, phone numbers, tax records, and SSNs.

Similarly, in June 2022, Flagstar disclosed that threat actors breached its corporate network and stole customer data of over 1.5 million individuals. The bank notified victims more than six months after the breach occurred between December 3, 2021, and December 4, 2021.