US Bank Loses Critical Data Of Over A Million Customers - Again

Michigan-based Flagstar Bank, which has more than 150 branches across several US states, has disclosed a data breach that involved threat actors accessing files containing the personal information of 1.5 million individuals. 

The bank said at least the names and social security numbers of its customers were stolen from its computers in December 2021. In a statement to the office of Maine's Attorney General, Flagstar Bank said it was compromised between December and April 2021.

Some reports have suggested that the banks' systems administrator didn't discover the intrusion until June 2, when they realised criminals had "accessed and/or acquired" files containing personal information on 1,547,169 people. 

In contrast, a Flagstar spokesperson said “We detected and contained the incident in December 2021 when it occurred. Upon detection, we immediately took steps to secure our environment and commenced a thorough investigation... Our thorough forensic investigation, which took place over the course of several months, has provided us with a comprehensive understanding of this incident’s impact and scope. Now that the extensive forensic investigation is complete, we are in the process of notifying individuals who may have been impacted directly via U.S. mail.”

The bank has offered affected customers identity theft protection services, and has mailed letters notifying everyone who may have had their data stolen. "We have no evidence that any of the information has been misused," the letter stated. Flagstar has more than 150 branches nationwide and home loan offices in 28 states and is one of the largest banks in the US with total assets of over $30B. 

Flagstar also suffered a security breach when, in late 2020, the Clop gang exploited a zero-day vulnerability in Accellion's legacy file-transfer appliance and siphoned data belonging to more than 100 organisations including Royal Dutch Shell, defense contractor Bombardier, and Flagstar.

That attack exposed about 1.48 million customers' bank account information, Social Security numbers, passport data, and other confidential information. 

Those customers sued the bank after that intrusion, and in September 2021, Flagstar agreed to pay $5.9 million to settle the lawsuit. Folks whose data was exposed were entitled to either three years of free credit monitoring services, or a payout between $99 and $316. 

The bank also agreed to make "various enhancements" to its third-party vendor risk management program along with "other data privacy enhancements," according to court documents. 

Recently over 1.5 million US bank cards were found dumped on the Dark Web, according to research by  NordVPN. They found a total of 1,561,739 American payment card details were found by independent researchers to be for sale on the Dark Web. Additionally, the average price for an American card on the dark web was $5.80. 

Flagstar agreed to monitor the Dark Web for any indications of people's personal data being sold, or other fraudulent activity related to the security breach.  But after two significant data security breaches in less than two years, perhaps it's time for a fresh security strategy.  

Maine.Gov:      TEISS:     The Register:     Security Week:      DSL Reports:      ZDNet:     Bleeping Computer:

You Might Also Read: 

Cyber Attacks On Banks Could Trigger Financial Crisis:

« Murder Enabled By Social Media
Russia Escalates Spying On Ukraine’s Allies »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Omerta

Omerta

Omerta is a global security technology and services company. We advise, consult, design, build, mitigate, protect, manage, provide and train to protect from increasing cyber threats.

Imperva

Imperva

Imperva is a leading provider of data and application security solutions including DDoS protection, Web application security, Data security and Cloud security.

The Josef Group (TJG)

The Josef Group (TJG)

The Josef Group Inc. is a certified woman-owned permanent staffing agency specializing in Information Technology, Engineering, and US Government "cleared" IT candidates.

Network Integrity Systems

Network Integrity Systems

Network Integrity Systems is a leader in network infrastructure security and offers solutions specifically developed for Government and Private Enterprise.

SecLytics

SecLytics

SecLytics is the leader in Predictive Threat Intelligence. Our SaaS-based Augur platform leverages behavioral profiling and machine learning to hunt down cyber criminals.

Cybercrime Support Network (CSN)

Cybercrime Support Network (CSN)

CSN is a public-private, nonprofit collaboration created to meet the challenges facing millions of individuals and businesses affected each and every day by cybercrime.

Cloud GRC

Cloud GRC

Cloud GRC is an innovative cybersecurity company with solutions and expertise in Cybersecurity Strategies & Frameworks, Threat & Risk Assessment, Cloud Security, and Regulatory Compliance Requirements

Reed

Reed

reed.co.uk is a leading job site in the UK, providing a full online service for anyone looking for a new job.

DKBInnovative

DKBInnovative

DKBinnovative is a best-practice driven IT management firm that provides secure, reliable IT solutions to productivity-focused clients around the globe.

ControlMap

ControlMap

ControlMap is a software as a service platform with a mission to simplify and eliminate stress from everyday operations of modern IT compliance teams.

Cyber7

Cyber7

CYBER7 is a National Cyber Security Innovation community initiated by Israel National Cyber Directorate, Ministry of Economy and Israel Innovation Authority led by Tech7 – Venture Studio.

Skyhigh Security

Skyhigh Security

Skyhigh Security enables your remote workforce while addressing your cloud, web, data, and network security needs.

Washington Technology Solutions (WaTech)

Washington Technology Solutions (WaTech)

WaTech operates the state’s core technology infrastructure – the central network and data center, provides strategic direction for cybersecurity and protects state networks from growing cyber threats.

Piiano

Piiano

Piiano offers developer-friendly privacy and security products. Reduce risk and protect your data by using our specialized security and privacy SaaS tools.

QPoint Technologies

QPoint Technologies

QPoint provides solutions and consulting in areas including software engineering, testing, cybersecurity, ICT, web, mobile, project management, and complex integration processes.