Flagstar Bank announced a data breach that affected over 800,000 US customers. The breach, involving a third-party service provider, led to the leak of users’ personal information.
Flagstar is a financial services provider with total assets of over $31 billion. New York Community Bank has owned them since 2022.
Details About the Breach
The data breach notification sent by Flagstar Bank indicates Fiserv as the source of the incident. The vendor offers payment processing and mobile banking services.
The overall number of Flagstar Bank customers affected by this occurrence in the United States is 837,390.
Fiserv was compromised as part of the global CLOP MOVEit Transfer data theft incidents, which affected over 64 million people and 2,000 companies worldwide.
The types of data that were compromised are redacted in the sample data breach notification letters. However, the entry on Maine’s data breach portal lists at least names and Social Security Numbers (SSNs) as stolen by the threat actors.
BleepingComputer (Source)
The attackers gained access to Fiserv’s networks by exploiting a zero-day vulnerability in the MOVEit Transfer product. Then stole Flagstar client data that the vendor used to perform services.
Remediation Measures
Fiserv launched an internal investigation to identify the affected individuals. They discovered that the incident happened between Mai 27 and 31, 2023, before the disclosure of the vulnerability. The company patched the flaw.
The impacted customers can benefit from free identity monitoring services.
We strongly recommend that you remain vigilant and regularly review and monitor all of your credit history to guard against any unauthorized transactions or activity. We also recommend that you closely monitor your account statements and notify us or any other of your financial institutions if you suspect any unauthorized activity.
Flagstar Bank (Source)
Worryingly, Fiserv provides services to hundreds of banks, which it has indirectly exposed in the past owing to other security flaws.
A History of Flagstar Breaches
This is Flagstar’s third breach since March 2021, when it announced a breach from the Clop ransomware group.
Based on the ransomware gang’s data samples, the hackers were able to collect customer and staff information such as names, addresses, phone numbers, tax records, and SSNs.
Flagstar announced another breach of its corporate network in June 2022, affecting nearly 1.5 million of its clients in the United States. Names and Social Security numbers were among the information stolen in the attack.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube, for more cybersecurity news and topics.