Flagstar Bank Data Breach Affects Over 800K Customers

In a recent notification, Michigan-based Flagstar Bank warned its customers about the exposure of their personal information due to a breach suffered by its third-party service provider.

With total assets of over $31 billion and more than 150 branches across several US states, Flagstar Bank was one of the largest financial services provider in the country, before its acquisition in 2022.

According to the issued notification, the bank suffered an indirect breach which led the hackers to access sensitive information of around 837,390 customers. Fiserv, a vendor which Flagstar uses for payment processing and mobile banking services, was impacted by the infamous Cl0P MOVEit Transfer attack.

The attack which occurred in May 2023, involved the MOVEit file transfer software, wherein unknown hackers had exploited a zero-day vulnerability to breach thousands of organizations worldwide to steal data.

Fiserv, which was also one of the targeted organizations, saw its system and files being accessed by unauthorized threat actors. ‘’During that time, unauthorized actors obtained our vendor files transferred via MOVEit. These files included Flagstar Bank and related institution customer information, including yours,’’ the notification revealed.

The type of stolen information was not disclosed by Flagstar in the notification. However, according to the information available on the Maine Attorney General office portal, the stolen data included names, other personal identifiers, and Social Security Number (SSNs).

The bank however confirmed that none of its internal system or customer service was impacted by the breach. It also revealed the remediation steps taken to prevent such incidents in future, including deploying necessary security measures, informing relevant authorities, and offering free identity monitoring service to impacted customers for two years.

This is the third time that Flagstar has suffered a data breach since March 2021. Earlier, in June 2022, it had disclosed a data breach of its corporate network, impacting nearly 1.5 million of its customers.