Flagstar Bank Data Breach Affects Over 800,000 Customers Through Third-Party Vendor

Kamso Oguejiofor-Abugu Kamso Oguejiofor-Abugu Writer

Flagstar Bank, previously one of the largest banks in the US with assets over $31 billion, is once again under the cybersecurity spotlight. The Michigan-based financial institution, now under the ownership of New York Community Bank, has announced its third data breach since 2021, potentially compromising the personal data of over 800,000 U.S. customers.

This latest breach occurred through the bank’s reliance on Fiserv, a third-party service provider responsible for transaction processing and mobile banking services. Fiserv fell victim to the MOVEit Transfer data theft attacks, part of the recent wave of breaches linked to the MOVEit platform that impacted thousands of organizations and over 64 million people worldwide.

“Our vendor promptly launched an investigation into the nature and scope of the MOVEit vulnerability’s impact on its systems and discovered that the unauthorized activity in the MOVEit Transfer environment occurred between Mav 27 and 31, 2023, which was before the existence of this vulnerability was publicly disclosed,” reads Flagstar’s consumer notification template. “During that time, unauthorized actors obtained our vendor files transferred via MOVEit.”

This breach isn’t the first time Flagstar Bank’s data has been at risk. In January 2021, the Clop ransomware gang exploited its Accellion file transfer server, obtaining customer and employee data, including SSNs, tax records, addresses, and more. Another breach in June 2022 impacted over 1.5 million American customers.

James McQuiggan, a Security Awareness Advocate at KnowBe4, emphasized the ongoing challenges organizations face with third-party vendor vulnerabilities. “This incident highlights the imperative for an enhanced cybersecurity framework within organizations and extending into the broader networks of third-party arrangements,” McQuiggan said.

“To help prevent something like this happening again our vendor has, through their service provider, remediated all technical vulnerabilities and patched systems in accordance with the MOVEit software provider’s guidelines’” Flagstar said. “Our vendor’s service provider also mobilized a technical response team to examine the relevant MOVEit systems and ensure that there were no further vulnerabilities”.

About the Author

About the Author

Kamso Oguejiofor is a former Content Writer at SafetyDetectives. He has over 2 years of experience writing and editing topics about cybersecurity, network security, fintech, and information security. He has also worked as a freelance writer for tech, health, beauty, fitness, and gaming publications, and he has experience in SEO writing, product descriptions/reviews, and news stories. When he’s not studying or writing, he likes to play basketball, work out, and binge watch anime and drama series.

Leave a Comment