US Bank Loses Critical Data Of Over A Million Customers - Again

Uploaded on 2022-06-27 in TECHNOLOGY--Hackers, FREE TO VIEW, BUSINESS-Services-Financial

Michigan-based Flagstar Bank, which has more than 150 branches across several US states, has disclosed a data breach that involved threat actors accessing files containing the personal information of 1.5 million individuals. 

The bank said at least the names and social security numbers of its customers were stolen from its computers in December 2021. In a statement to the office of Maine's Attorney General, Flagstar Bank said it was compromised between December and April 2021.

Some reports have suggested that the banks' systems administrator didn't discover the intrusion until June 2, when they realised criminals had "accessed and/or acquired" files containing personal information on 1,547,169 people. 

In contrast, a Flagstar spokesperson said “We detected and contained the incident in December 2021 when it occurred. Upon detection, we immediately took steps to secure our environment and commenced a thorough investigation... Our thorough forensic investigation, which took place over the course of several months, has provided us with a comprehensive understanding of this incident’s impact and scope. Now that the extensive forensic investigation is complete, we are in the process of notifying individuals who may have been impacted directly via U.S. mail.”

The bank has offered affected customers identity theft protection services, and has mailed letters notifying everyone who may have had their data stolen. "We have no evidence that any of the information has been misused," the letter stated. Flagstar has more than 150 branches nationwide and home loan offices in 28 states and is one of the largest banks in the US with total assets of over $30B. 

Flagstar also suffered a security breach when, in late 2020, the Clop gang exploited a zero-day vulnerability in Accellion's legacy file-transfer appliance and siphoned data belonging to more than 100 organisations including Royal Dutch Shell, defense contractor Bombardier, and Flagstar.

That attack exposed about 1.48 million customers' bank account information, Social Security numbers, passport data, and other confidential information. 

Those customers sued the bank after that intrusion, and in September 2021, Flagstar agreed to pay $5.9 million to settle the lawsuit. Folks whose data was exposed were entitled to either three years of free credit monitoring services, or a payout between $99 and $316. 

The bank also agreed to make "various enhancements" to its third-party vendor risk management program along with "other data privacy enhancements," according to court documents. 

Recently over 1.5 million US bank cards were found dumped on the Dark Web, according to research by  NordVPN. They found a total of 1,561,739 American payment card details were found by independent researchers to be for sale on the Dark Web. Additionally, the average price for an American card on the dark web was $5.80. 

Flagstar agreed to monitor the Dark Web for any indications of people's personal data being sold, or other fraudulent activity related to the security breach.  But after two significant data security breaches in less than two years, perhaps it's time for a fresh security strategy.  

Maine.Gov:      TEISS:     The Register:     Security Week:      DSL Reports:      ZDNet:     Bleeping Computer:

You Might Also Read: 

Cyber Attacks On Banks Could Trigger Financial Crisis:

« Murder Enabled By Social Media
Russia Escalates Spying On Ukraine’s Allies »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

mmCERT

mmCERT

mmCERT is the national Computer Emergency Response Team for Myanmar.

Think Cyber Security (ThinkCyber)

Think Cyber Security (ThinkCyber)

ThinkCyber is a Tel Aviv-based Israeli company with a team of cybersecurity professionals who are experts in both information and operations technology.

Cycura

Cycura

Cycura provide advanced, customized, and confidential cyber security services, cyber investigation services, and digital forensic services to governments, companies, and organizations.

TechRate

TechRate

Techrate is an analytics agency focused on blockchain technology and engineering. Or expertise includes security and technical audits of projects.

Cryptyk

Cryptyk

CRYPTYK CLOUD is the first complete enterprise-class cloud security solution that includes cloud storage and broad protection against all external and internal threats.

Redwall Technologies

Redwall Technologies

Redwall provides cybersecurity expertise and technology to prevent and respond to emerging threats against mobile applications and connected infrastructures.

Techfusion

Techfusion

Techfusion is a cyber security research and consulting firm focusing on digital forensics and data recovery.

The Citadel Department of Defense Cyber Institute (CDCI)

The Citadel Department of Defense Cyber Institute (CDCI)

CDCI is established to address the critical national security needed for a skilled cybersecurity workforce.

Enea

Enea

Enea is one of the world’s leading specialists in software for telecommunications and cybersecurity. Our products are used to enable services for mobile subscribers, enterprise customers and IoT.

Fortified Health Security

Fortified Health Security

Fortified’s team of cybersecurity specialists is dedicated to helping healthcare providers, payers and business associates protect their patient data across the Fortified Healthcare Ecosystem.

Alibaba Cloud

Alibaba Cloud

Alibaba Cloud is committed to safeguarding the cloud security for every business by leveraging a comprehensive suite of enterprise security services and products on the platform.

CyberX9

CyberX9

CyberX9 helps you protect against a wide range of cyber attacks whether you are a business or a high-net worth individual under risk.

Centric Consulting

Centric Consulting

Centric Consulting is an international management consulting firm with unmatched expertise in business transformation, AI strategy, cyber risk management, technology implementation and adoption. 

AdviserCyber

AdviserCyber

AdviserCyber provide Cybersecurity and Compliance Solutions for Registered Investment Advisers.

Vigilant Ops

Vigilant Ops

Vigilant Ops is a leader in Software Bill of Materials (SBOM) Automation. A proactive approach to cybersecurity with continuous vulnerability monitoring.

Convergint

Convergint

Convergint is a service-based systems integrator working alongside a global network of partners and manufacturers to deliver a range of solutions including cybersecurity.