For the second time in two years, Flagstar Bank has suffered a data breach affecting around 1.5 million people. The bank sent letters to the impacting customers revealing that attackers breached its corporate network between December 3 and December 4 last year.
The bank discovered the breach six months later, on June 2, 2022, indicating the attackers accessed sensitive information, including customers’ Social Security numbers.
The company hasn’t revealed why it took so long to discover the breach, the systems targeted and the number of people affected. However, based on the breach report submitted to the Office of the Maine Attorney General, the breach affected 1,547,169 people in the United States.
So far, the bank has been rather vague in its description of the incident, labelling it as a “cyber incident that involved unauthorized access to our network” in the incident report sent to the impacted users. The report also added that there’s no evidence that any leaked information has been misused.
Impacted customers also get free access to Kroll identity monitoring services for two years. These services include Credit Monitoring, Fraud Consultation and Identity Theft Restoration, among other protective measures.
The Accellion hack also impacted Flagstar in January 2021, where the Clop ransomware gang exploited vulnerabilities in the Accellion legacy file transfer appliances to steal corporate documents. Data stolen from Flagstar involved names, phone numbers, Social Security numbers, addresses and tax records.
It’s worth pointing out that Flagstar wasn’t the only victim of the Accellion FTA server hack. Clop’s ransomware also affected several other companies, including Bombardier, Singtel, the New Zealand Reserve Bank, and Washington’s State Auditor office.