US Bank Loses Critical Data Of Over A Million Customers - Again

Uploaded on 2022-06-27 in TECHNOLOGY--Hackers, FREE TO VIEW, BUSINESS-Services-Financial

Michigan-based Flagstar Bank, which has more than 150 branches across several US states, has disclosed a data breach that involved threat actors accessing files containing the personal information of 1.5 million individuals. 

The bank said at least the names and social security numbers of its customers were stolen from its computers in December 2021. In a statement to the office of Maine's Attorney General, Flagstar Bank said it was compromised between December and April 2021.

Some reports have suggested that the banks' systems administrator didn't discover the intrusion until June 2, when they realised criminals had "accessed and/or acquired" files containing personal information on 1,547,169 people. 

In contrast, a Flagstar spokesperson said “We detected and contained the incident in December 2021 when it occurred. Upon detection, we immediately took steps to secure our environment and commenced a thorough investigation... Our thorough forensic investigation, which took place over the course of several months, has provided us with a comprehensive understanding of this incident’s impact and scope. Now that the extensive forensic investigation is complete, we are in the process of notifying individuals who may have been impacted directly via U.S. mail.”

The bank has offered affected customers identity theft protection services, and has mailed letters notifying everyone who may have had their data stolen. "We have no evidence that any of the information has been misused," the letter stated. Flagstar has more than 150 branches nationwide and home loan offices in 28 states and is one of the largest banks in the US with total assets of over $30B. 

Flagstar also suffered a security breach when, in late 2020, the Clop gang exploited a zero-day vulnerability in Accellion's legacy file-transfer appliance and siphoned data belonging to more than 100 organisations including Royal Dutch Shell, defense contractor Bombardier, and Flagstar.

That attack exposed about 1.48 million customers' bank account information, Social Security numbers, passport data, and other confidential information. 

Those customers sued the bank after that intrusion, and in September 2021, Flagstar agreed to pay $5.9 million to settle the lawsuit. Folks whose data was exposed were entitled to either three years of free credit monitoring services, or a payout between $99 and $316. 

The bank also agreed to make "various enhancements" to its third-party vendor risk management program along with "other data privacy enhancements," according to court documents. 

Recently over 1.5 million US bank cards were found dumped on the Dark Web, according to research by  NordVPN. They found a total of 1,561,739 American payment card details were found by independent researchers to be for sale on the Dark Web. Additionally, the average price for an American card on the dark web was $5.80. 

Flagstar agreed to monitor the Dark Web for any indications of people's personal data being sold, or other fraudulent activity related to the security breach.  But after two significant data security breaches in less than two years, perhaps it's time for a fresh security strategy.  

Maine.Gov:      TEISS:     The Register:     Security Week:      DSL Reports:      ZDNet:     Bleeping Computer:

You Might Also Read: 

Cyber Attacks On Banks Could Trigger Financial Crisis:

« Murder Enabled By Social Media
Russia Escalates Spying On Ukraine’s Allies »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Pen Test Partners LLP

Pen Test Partners LLP

Pen Test Partners provides penetration testing, security assessment and training services.

Council on Foreign Relations (CFR)

Council on Foreign Relations (CFR)

CFR is dedicated to better understanding the world and the foreign policy choices facing the USA and other countries. Cyber security is covered within the CFR topic areas.

CERT.hr

CERT.hr

CERT.hr is the national authority competent for prevention and protection from computer threats to public information systems in the Republic of Croatia.

Spanish National Cybersecurity Institute (INCIBE)

Spanish National Cybersecurity Institute (INCIBE)

INCIBE undertakes research, service delivery and coordination for building cybersecurity at the national and international levels.

Advanced Software Products Group (ASPG)

Advanced Software Products Group (ASPG)

ASPG offers a wide range of innovative mainframe software solutions for Data Security, Access Management, System Management and CICS productivity.

Secure Innovations

Secure Innovations

Secure Innovations is a cybersecurity firm dedicated to providing top-tier cyber security solutions for the Defense and the Intelligence Community.

ATIA

ATIA

ATIA provides consulting services in the design and implementation of IT system, Information Security, ISO certification, and professional IT training and education.

Wise-Mon

Wise-Mon

Wise-Mon is expert in its field of network monitoring and control. We give solutions to huge organizations with tens of thousands of ports, as well as small companies with one switch.

Accredia

Accredia

Accredia is the national accreditation body for Italy. The directory of members provides details of organisations offering certification services for ISO 27001.

ReconaSense

ReconaSense

ReconaSense helps protect people, assets, buildings and cities with its next-gen access control and converged physical security intelligence platform.

VLATACOM Institute

VLATACOM Institute

Vlatacom Institute is privately owned accredited research and development institute, system integrator and turn-key solution provider. Areas of expertise include encryption and authentication.

Norma Inc.

Norma Inc.

Norma provides the secured wireless environment (WiFi and Bluetooth) with the unauthorized AP detection, and secures your IoT assets from various threats.

UST

UST

UST is a global provider of digital technology and transformation, IT services and solutions including managed security services.

Digital Edge

Digital Edge

Digital Edge provides unparalleled Managed Cloud Solutions, as well as superior Information Technology Support Services.

CyberTest

CyberTest

CyberTest offers cybersecurity consulting and penetration testing services that helps organizations and businesses securing their assets.

Umbrella Cyber

Umbrella Cyber

Umbrella Cyber specialises in Cyber Essentials and Cyber Essentials Plus Certification and penetration testing.