US Bank Loses Critical Data Of Over A Million Customers - Again
Michigan-based Flagstar Bank, which has more than 150 branches across several US states, has disclosed a data breach that involved threat actors accessing files containing the personal information of 1.5 million individuals.
The bank said at least the names and social security numbers of its customers were stolen from its computers in December 2021. In a statement to the office of Maine's Attorney General, Flagstar Bank said it was compromised between December and April 2021.
Some reports have suggested that the banks' systems administrator didn't discover the intrusion until June 2, when they realised criminals had "accessed and/or acquired" files containing personal information on 1,547,169 people.
In contrast, a Flagstar spokesperson said “We detected and contained the incident in December 2021 when it occurred. Upon detection, we immediately took steps to secure our environment and commenced a thorough investigation... Our thorough forensic investigation, which took place over the course of several months, has provided us with a comprehensive understanding of this incident’s impact and scope. Now that the extensive forensic investigation is complete, we are in the process of notifying individuals who may have been impacted directly via U.S. mail.”
The bank has offered affected customers identity theft protection services, and has mailed letters notifying everyone who may have had their data stolen. "We have no evidence that any of the information has been misused," the letter stated. Flagstar has more than 150 branches nationwide and home loan offices in 28 states and is one of the largest banks in the US with total assets of over $30B.
Flagstar also suffered a security breach when, in late 2020, the Clop gang exploited a zero-day vulnerability in Accellion's legacy file-transfer appliance and siphoned data belonging to more than 100 organisations including Royal Dutch Shell, defense contractor Bombardier, and Flagstar.
That attack exposed about 1.48 million customers' bank account information, Social Security numbers, passport data, and other confidential information.
Those customers sued the bank after that intrusion, and in September 2021, Flagstar agreed to pay $5.9 million to settle the lawsuit. Folks whose data was exposed were entitled to either three years of free credit monitoring services, or a payout between $99 and $316.
The bank also agreed to make "various enhancements" to its third-party vendor risk management program along with "other data privacy enhancements," according to court documents.
Recently over 1.5 million US bank cards were found dumped on the Dark Web, according to research by NordVPN. They found a total of 1,561,739 American payment card details were found by independent researchers to be for sale on the Dark Web. Additionally, the average price for an American card on the dark web was $5.80.
Flagstar agreed to monitor the Dark Web for any indications of people's personal data being sold, or other fraudulent activity related to the security breach. But after two significant data security breaches in less than two years, perhaps it's time for a fresh security strategy.
Maine.Gov: TEISS: The Register: Security Week: DSL Reports: ZDNet: Bleeping Computer:
You Might Also Read: