Skip links

Info on 1.5m people stolen from US bank in cyberattack

A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

In a statement to the office of Maine’s Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization’s sysadmins, however, said they didn’t discover the intrusion until now. On June 2, they realized criminals “accessed and/or acquired” files containing personal information on 1,547,169 people.

“Flagstar experienced a cyber incident that involved unauthorized access to our network,” the bank said in a statement emailed to The Register.

“Upon learning of the incident, we promptly activated our incident response plan, engaged external cybersecurity professionals experienced in handling these types of incidents, and reported the matter to federal law enforcement,” it continued. “We continue to operate all services normally.”

The bank has offered affected customers identity theft protection services, and late last week mailed letters [PDF] notifying everyone who may have had their data stolen. “We have no evidence that any of the information has been misused,” the letter stated.

Headquartered in Michigan, the bank and mortgage lender has more than 150 branches nationwide and home loan offices in 28 states.

Flagstar also suffered a security breach when, in late 2020, the Clop gang exploited a zero-day vulnerability in Accellion’s legacy file-transfer appliance and siphoned data belonging to more than 100 organizations including Royal Dutch Shell, defense contractor Bombardier, and Flagstar. That attack exposed about 1.48 million customers’ bank account information, Social Security numbers, passport data, and other private information.

Those customers sued the bank after that intrusion, and in September 2021, Flagstar agreed to pay $5.9 million to settle the lawsuit. Folks whose data was exposed were entitled to either three years of free credit monitoring services, or a payout between $99 and $316.

The bank also agreed to make “various enhancements” to its third-party vendor risk management program along with “other data privacy enhancements,” according to court documents.

Plus, Flagstar agreed to monitor the dark web for any indications of people’s personal data being sold, or other fraudulent activity related to the security breach.

In a statement provided to The Register following the latest breach disclosure, a spokesperson for the bank said: “We take the security of our network and the personal information entrusted to us with the utmost seriousness.”

But after two significant data security breaches in less than two years, perhaps it’s time for a fresh security strategy. ®