Flagstar Bank breach leaks Social Security numbers of more than 1.5 million people

Flagstar Bank admitted that the names and Social Security numbers of more than 1.5 million customers were leaked during a data breach that started on December 3. 

In letters sent out to victims on Friday, the bank said hackers broke into its systems on December 3 and December 4 last year, but they only realized sensitive customer information was accessed on June 2.

“Upon learning of the incident, we promptly activated our incident response plan, engaged external cybersecurity professionals experienced in handling these types of incidents, and reported the matter to federal law enforcement,” the bank said. 

Documents filed with the Attorney General of Maine said 1,547,169 people were affected by the breach. 

Flagstar Bank said it is offering victims two years of free identity monitoring through Kroll. The services include credit monitoring, fraud consultation and identity theft restoration.

Flagstar Bank, which is based in Michigan, did not respond to requests for comment about why it took six months to notify such a large number of customers. Company spokesperson Susan Bergesen would only share a statement that restated much of what was in the letters to victims.

Bergesen added that the bank is “in the process of notifying individuals who may have been impacted directly via U.S. mail to extend complimentary credit monitoring services.”

The bank was previously hacked by the Clop ransomware group through the widely exploited zero-day vulnerability in Accellion file-sharing servers.

Several organizations were attacked alongside Flagstar Bank, including Australian Securities and Investments Commission (ASIC), law firm Allens, the University of Colorado, the Washington State Auditor Office, the QIMR Berghofer Medical Research Institute, Singapore telco Singtel, security firm Qualys, airplane maker Bombardier, and US retail store chain Kroger.

The ransomware group ended up publishing some of the data it stole from Flagstar Bank after attempting to extort the bank.

Jonathan Greig

Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

Recent Posts

Chinese cyber agency signals support for tech industry

CAC officials set a conciliatory tone towards tech Friday, but are still supervising rides-hailing giant’s…

2 hours ago

Apple releases emergency patch for two iPhone, Mac zero-day vulnerabilities being exploited

Apple said hackers are actively exploiting two zero-day vulnerabilities in iPhones, iPads and Macs. In…

3 hours ago

Google says it stopped the largest DDoS attack ever recorded in June

One of Google’s customers was targeted with the largest distributed denial of service (DDoS) attack…

3 hours ago

European Commission’s Despina Spanou on why cyber officials must ‘learn lessons from crises’

When it comes to privacy and cybersecurity regulations, the European Union often sets the standards…

5 hours ago

Cyber insurers weigh in on latest cybersecurity trends, threats

The numbers speak for themselves: more companies are opting in for cyber insurance coverage than…

1 day ago

TikTok asks House of Representatives to rescind cyber advisory about company

Short-form video giant TikTok refuted claims made by the Chief Administrative Officer (CAO) of the…

1 day ago