Flagstar Bank’s Latest Data Breach: 800,000 Customers Impacted, Marking the Third Incident of 2021

Flagstar Bank Warns Customers of Data Breach

Flagstar Bank, a Michigan-based financial services provider now owned by the New York Community Bank, has issued a warning to over 800,000 US customers whose personal information was stolen in a data breach. The breach occurred at a third-party service provider, Fiserv, which Flagstar uses for payment processing and mobile banking services.

A data breach notification sent to affected customers explains that Fiserv was targeted in the widespread CLOP MOVEit Transfer data theft attacks. These attacks have affected over 64 million individuals and two thousand organizations worldwide, as reported by Emsisoft.

The cybercriminals exploited a zero-day vulnerability in Fiserv’s MOVEit Transfer product to gain unauthorized access to the systems and subsequently stole Flagstar customer data held by the vendor.

The specific types of compromised data have been redacted in the sample data breach notification letters. However, the Maine data breach portal lists names and Social Security Numbers (SSNs) as being stolen by the threat actors.

The total number of Flagstar Bank customers impacted by this incident in the United States is 837,390.

Repeat Breaches for Flagstar Bank

This recent breach marks the third time Flagstar has experienced a data breach since March 2021. The first breach occurred when the Clop ransomware gang hacked Flagstar’s Accellion file transfer server in January of that year. Customer and employee information, including names, addresses, phone numbers, tax records, and SSNs, were stolen during that breach.

In June 2022, Flagstar disclosed another breach of its corporate network, affecting over 1.5 million customers in the US. The compromised data in that incident also included names and Social Security Numbers.

Of concern is the fact that Fiserv provides services to numerous banks, many of which have been indirectly affected by previous security lapses, as reported by KrebsOnSecurity.

We have reached out to Fiserv to inquire about the impact of the MOVEit breach on other financial institutions and their customers. We will update this post with their response.