Share this article on:
Hackers accessed 1.5 million Flagstar Bank customers’ personal data, the US financial services provider has disclosed.
Based in the US state of Michigan, Flagstar is one the largest banks in America, having total assets of over $30 billion.
In data breach notifications sent to impacted customers, the bank revealed that personal data of 1.5 million customers had been accessed by hackers in a December 2021 cyber attack after intruders breached the bank's corporate network.
After an investigation, the bank discovered on 2nd June that the threat actors had accessed sensitive customer details, including full names and social security numbers.
"Upon learning of the incident, we promptly activated our incident response plan, engaged external cyber security professionals experienced in handling these types of incidents, and reported the matter to federal law enforcement," Flagstar stated in a notice to affected customers.
"We have no evidence that any of the information has been misused.
"Nevertheless, out of an abundance of caution, we want to make you aware of the incident," Flagstar further explained in the notice.
To compensate exposed customers, Flagstar is providing two years of free identity monitoring and protection services for two years.
According to a Bleeping Computer report, the data breach affected 1,547,169 people in the United States based on data submitted to the Office of the Maine Attorney General.
This is the second major security incident that has affected Flagstar and its customers in the past 12 months.
In January 2021, the ransomware gang Clop breached the bank's servers by exploiting a zero-day vulnerability in Accellion FTA servers. Numerous entities doing business with Accellion were impacted, which included Bombardier, Singtel, the New Zealand Reserve Bank, and Washington's State Auditor office.
Clop stole data like names, SSNs, addresses, tax records, and phone numbers, and were eventually published on Clop's data leak site.
Flagstar ended its collaboration with the Accellion platform after the breach after being extorted by Clop, which resulted in its customers data being accessible to cyber criminals.
[Related: US DOJ confirms Russian hacking ‘botnet’ dismantled]