Flagstar Bank customer data breached through Accellion hack

Like many other users, Flagstar Bank has now permanently stopped using the platform.
Written by Charlie Osborne, Contributing Writer

Flagstar Bank has been added to a list of companies breached due to an Accellion software zero-day vulnerability. 

The bank, headquartered in Michigan, is a Flagstar Bancorp, subsidiary and provides mortgages and other financial services to US customers. 

In a statement posted on Flagstar Bank's website, the organization says that Accellion first informed the company of a security issue on January 22, 2021. 

Accellion's file-sharing program, File Transfer Appliance (FTA), is an enterprise product used to transfer large files. While now discontinued and supplanted by other software such as Kiteworks, a zero-day vulnerability in the legacy software was found in December and has since been exploited by attackers in the wild. 

Reported victims include Qualys, the Reserve Bank of New Zealand, the Australian Securities and Investments Commission (ASIC), and Transport for New South Wales (TfNSW). 

"After Accellion informed us of the incident, Flagstar permanently discontinued use of this file sharing platform," Flagstar Bank says. "Unfortunately, we have learned that the unauthorized party was able to access some of Flagstar's information on the Accellion platform and that we are one of numerous Accellion clients who were impacted."

In an email sent to a customer on March 6 and viewed by ZDNet, the company says it "acted immediately to contain the threat and have engaged a team of third-party forensic experts to investigate and determine the full scope of this incident."

Flagstar Bank says that operations were not impacted and the Accellion platform was "segmented" from other network elements such as core banking and mortgage systems. 

The financial organization has not revealed how many customers have been embroiled in the leak, or what records may have been compromised. The bank added that anyone thought to be involved will be contacted via mail and "will receive information regarding free credit monitoring services."

Kroll has been hired to provide free credit monitoring tools. 

When a customer queried why Flagstar Bank was made aware of the breach in January and has only reached out now upon receipt of the email, the company apologized and said it "understood [their] frustration."  

"Investigations of this nature take time and the results are not instantaneous," the email read. "We're working as fast as we can to ensure a thorough, diligent review and are committed to providing updates as soon as we have them."

Flagstar Bank declined to comment further. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards