UPDATE 6/23: Flagstar Bank has been in touch to clarify the events surrounding the personal details of more than 1.5 million customers being stolen.
Although the letter sent out to affected customers on June 2 states the bank "recently experienced a cyber incident," Flagstar says it "detected and contained the incident in December 2021." So why did it take until June this year to inform customers? As Flagstar explains:
"Our thorough forensic investigation, which took place over the course of several months, has provided us with a comprehensive understanding of this incident’s impact and scope. Now that the extensive forensic investigation is complete, we are in the process of notifying individuals who may have been impacted directly via U.S. mail."
That will be of little comfort to anyone who had their details stolen back in December and are only now finding out about it.
Flagstar also clarified that its systems weren't compromised in late 2020. Instead, Accellion, a vendor that Flagstar used for its file sharing platform, had a vulnerability exploited by an unauthorized third party. Even though Flagstar "permanently discontinued" use of the platform, information from Flagstar stored on Accellion's platform was accessed in January 2021.
Original Story 6/22:
Flagstar Bank, which operates 150 branches across 28 states in the US, released details this month of a hacking incident resulting in the personal details of over 1.5 million customers being stolen.
As The Register reports, the bank's computer system was compromised last December, but the bank didn't realize it had been hacked until this month (June 2). On further investigation, it was discovered "at least" the names and social security numbers of 1,547,169 people in the US had been taken.
In a letter (PDF) to customers sent out on June 17 alongside a "How to Protect Your Information" post on its website, Flagstar said it has now hired "external cybersecurity professionals" and reported the incident to federal law enforcement. The personal details of customers were accessed between Dec. 3-4 last year, meaning there has been plenty of time for them to be misused for identity theft. Flagstar states it has no evidence of that, though.
Flagstar is offering affected customers two years of identity monitoring through Kroll, which will include credit monitoring, fraud consultation, and identity theft restoration services if necessary. The bank also included a "steps you can take" guide with the letter to help customers check their accounts for suspicious activity going forward.
If being hacked and not realizing for months wasn't bad enough, this isn't the first time Flagstar has had its systems compromised. A much larger security breach occurred in late 2020 impacting more than 100 companies, one of which was Flagstar. It resulted in Flagstar being sued by its customers, paying out $5.9 million to settle the lawsuit, and agreeing to enhance its risk management and data privacy practices. Clearly those enhancements need further enhancing.
Readers' Choice Awards 2021: Antivirus Software and Security Suites
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
