Flagstar Bank breach leaks Social Security numbers of more than 1.5 million people
Flagstar Bank admitted that the names and Social Security numbers of more than 1.5 million customers were leaked during a data breach that started on December 3.
In letters sent out to victims on Friday, the bank said hackers broke into its systems on December 3 and December 4 last year, but they only realized sensitive customer information was accessed on June 2.
“Upon learning of the incident, we promptly activated our incident response plan, engaged external cybersecurity professionals experienced in handling these types of incidents, and reported the matter to federal law enforcement,” the bank said.
Documents filed with the Attorney General of Maine said 1,547,169 people were affected by the breach.
Flagstar Bank said it is offering victims two years of free identity monitoring through Kroll. The services include credit monitoring, fraud consultation and identity theft restoration.
Flagstar Bank, which is based in Michigan, did not respond to requests for comment about why it took six months to notify such a large number of customers. Company spokesperson Susan Bergesen would only share a statement that restated much of what was in the letters to victims.
Bergesen added that the bank is "in the process of notifying individuals who may have been impacted directly via U.S. mail to extend complimentary credit monitoring services."
The bank was previously hacked by the Clop ransomware group through the widely exploited zero-day vulnerability in Accellion file-sharing servers.
Several organizations were attacked alongside Flagstar Bank, including Australian Securities and Investments Commission (ASIC), law firm Allens, the University of Colorado, the Washington State Auditor Office, the QIMR Berghofer Medical Research Institute, Singapore telco Singtel, security firm Qualys, airplane maker Bombardier, and US retail store chain Kroger.
The ransomware group ended up publishing some of the data it stole from Flagstar Bank after attempting to extort the bank.
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.