1.5 million customers impacted by Flagstar Bank data breach

The security incident occurred in December 2021.
Written by Charlie Osborne, Contributing Writer
Image: Shutterstock/stockfour

Flagstar Bank has disclosed a security incident that led to the exposure of personal data belonging to up to 1.5 million customers.

As reported by Bleeping Computer, the data breach occurred between December 3 and December 4, 2021.

The US financial organization is headquartered in Michigan and operates over 150 branches in areas including Indiana, California, Wisconsin, and Ohio.

Flagstar Bank caters to consumers and the enterprise, accounting for roughly $23.2 billion in assets. Flagstar Bank is a subsidiary of Flagstar Bancorp, listed on the NYSE as FBC.

The company said in a security notice that the incident involved "unauthorized access" to the bank's network.

"In response, Flagstar promptly took steps to secure its environment and investigate the incident with the assistance of third-party forensic experts," Flagstar said.

SEE: Don't let your cloud cybersecurity choices leave the door open for hackers

On June 2, Flagstar's investigators concluded that information belonging to over 1.5 million customers may have been affected by the breach.

There is no evidence that this data has been leaked, sold, or otherwise misused, according to the organization.

"Since then, we have taken several measures to toughen our information security. We now believe we have strengthened processes and systems in a way that should reduce our cyber vulnerabilities in the future," the company said.

SEE: Cloud computing security: Where it is, where it's going

When a data breach occurs at a major company, a standard step now taken is to offer impacted customers free credit-monitoring services. Flagstar Bank has chosen to take this route and anyone alerted to the possible leak of their personal information will be offered two years of free monitoring by Kroll.

"We sincerely apologize for any inconvenience this may have caused you," Flagstar Bank says. "We remain fully committed to maintaining the privacy of personal information in our possession and have taken many precautions to safeguard it."

This is the second security issue to strike Flagstar in just over a year.

In March 2021, the company, an Accellion customer, was impacted by a security incident caused by a zero-day vulnerability in Accellion's file-sharing platform, File Transfer Appliance (FTA). This flaw meant an unauthorized party was able to access some of Flagstar's information on the Accellion platform.

Flagstar said that the exploitation of the FTA appliance could have led to the exposure of customer PII, and impacted clients would be offered free credit monitoring.

ZDNet has reached out to Flagstar Bank with additional queries and we will update when we hear back. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499

Editorial standards