US Bank Loses Critical Data Of Over A Million Customers - Again

Michigan-based Flagstar Bank, which has more than 150 branches across several US states, has disclosed a data breach that involved threat actors accessing files containing the personal information of 1.5 million individuals. 

The bank said at least the names and social security numbers of its customers were stolen from its computers in December 2021. In a statement to the office of Maine's Attorney General, Flagstar Bank said it was compromised between December and April 2021.

Some reports have suggested that the banks' systems administrator didn't discover the intrusion until June 2, when they realised criminals had "accessed and/or acquired" files containing personal information on 1,547,169 people. 

In contrast, a Flagstar spokesperson said “We detected and contained the incident in December 2021 when it occurred. Upon detection, we immediately took steps to secure our environment and commenced a thorough investigation... Our thorough forensic investigation, which took place over the course of several months, has provided us with a comprehensive understanding of this incident’s impact and scope. Now that the extensive forensic investigation is complete, we are in the process of notifying individuals who may have been impacted directly via U.S. mail.”

The bank has offered affected customers identity theft protection services, and has mailed letters notifying everyone who may have had their data stolen. "We have no evidence that any of the information has been misused," the letter stated. Flagstar has more than 150 branches nationwide and home loan offices in 28 states and is one of the largest banks in the US with total assets of over $30B. 

Flagstar also suffered a security breach when, in late 2020, the Clop gang exploited a zero-day vulnerability in Accellion's legacy file-transfer appliance and siphoned data belonging to more than 100 organisations including Royal Dutch Shell, defense contractor Bombardier, and Flagstar.

That attack exposed about 1.48 million customers' bank account information, Social Security numbers, passport data, and other confidential information. 

Those customers sued the bank after that intrusion, and in September 2021, Flagstar agreed to pay $5.9 million to settle the lawsuit. Folks whose data was exposed were entitled to either three years of free credit monitoring services, or a payout between $99 and $316. 

The bank also agreed to make "various enhancements" to its third-party vendor risk management program along with "other data privacy enhancements," according to court documents. 

Recently over 1.5 million US bank cards were found dumped on the Dark Web, according to research by  NordVPN. They found a total of 1,561,739 American payment card details were found by independent researchers to be for sale on the Dark Web. Additionally, the average price for an American card on the dark web was $5.80. 

Flagstar agreed to monitor the Dark Web for any indications of people's personal data being sold, or other fraudulent activity related to the security breach.  But after two significant data security breaches in less than two years, perhaps it's time for a fresh security strategy.  

Maine.Gov:      TEISS:     The Register:     Security Week:      DSL Reports:      ZDNet:     Bleeping Computer:

You Might Also Read: 

Cyber Attacks On Banks Could Trigger Financial Crisis:

« Murder Enabled By Social Media
Russia Escalates Spying On Ukraine’s Allies »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

National Cyber Directorate Israel

National Cyber Directorate Israel

The Israeli National Cyber Directorate provides incident handling services for civilian entities and critical infrastructures and works to increase national resilience against cyber threats.

tunCERT

tunCERT

TunCERT is the National Computer Emergency Response Team of Tunisia.

Momentum

Momentum

The Cyber Security team at Momentum offers a professional and specialist recruitment service across Cyber & IT Security.

Qolcom

Qolcom

Qolcom is a leading UK based integrator of secure wireless network and mobile device management solutions.

Ionic Security

Ionic Security

Ionic provide a high-assurance data protection and control platform built on strong encryption, fine-grain control and contextual analytics.

App-Ray

App-Ray

App-Ray provides fully automated security analysis of mobile applications to find security issues, privacy breaches and data leaking potentials.

Terranova Security

Terranova Security

Terranova is dedicated to providing information security awareness programs customized to your internal policies and procedures.

Trusted Knight

Trusted Knight

Trusted Knight is a leading provider of security software solutions focused on defeating newly developed malware and crimeware trojans.

Wizlynx Group

Wizlynx Group

Wizlynx services cover the entire risk management lifecycle from security assessments and compliance to the implementation of security solutions and provision of Managed Security Services.

Open Raven

Open Raven

Open Raven is the cloud native data security platform that prevents breaches driven by modern speed and sprawl. Restore full visibility and regain control within minutes, without agents.

Neovera

Neovera

Neovera is a trusted provider of managed services including cyber security and enterprise cloud solutions, committed to delivering results through the innovative use of scalable enterprise-grade tech.

Boeing

Boeing

Boeing is the world's largest aerospace company and leading manufacturer of commercial jetliners, defense, space and security systems.

CliftonLarsonAllen (CLA)

CliftonLarsonAllen (CLA)

CLA exists to create opportunities for our clients through industry-focused advisory, outsourcing, audit, tax, and consulting services.

Cyber-Security Council Germany

Cyber-Security Council Germany

The German Cyber Security Council's objective is to consult businesses, government agencies and political decision-makers and to support them against cybercrime.

SNC-Lavalin

SNC-Lavalin

SNC-Lavalin is a fully integrated professional services and project management company with offices around the world.

Sinergi Digital

Sinergi Digital

Sinergi Digital is a business unit of the Metrodata Group with a focus on providing ICT solution to help accelerating digital transformation.