Flagstar Bank Suffers Data Breach, 1.5 Million Customers Affected

Flagstar Bank sign in the city

Flagstar Bank, one of the largest banks in the U.S., said that it suffered a data breach in December 2021, exposing the names and social security numbers of over 1.5 million customers. This is the second major breach the Michigan-based bank has experienced within a year, and it has sent out notifications to the affected clients.

While Flagstar says there is no evidence that the stolen data is being misused, it has provided important information on how the affected customers can protect themselves from identity theft and similar risks.

Details of the Flagstar Bank Data Breach

According to the notification, the bank said it experienced “unauthorized access” to its corporate network, though it did not specify when the breach was discovered, nor when hackers initially gained access to Flagstar’s system.

After hiring out third-party cybersecurity assistance and contacting law enforcement, Flagstar said an investigation concluded on June 2, 2022, revealed that the data breach occurred between Dec. 3 and Dec. 4 of 2021.

Hackers “accessed and/or acquired” files containing customer data that included the names or other personal identifiers of 1,547,169 Flagstar customers, along with their social security numbers.

Flagstar to Provide Identity Protection Services to Affected Customers

The bank said that it has not found any evidence that the responsible actor is misusing the stolen information. However, information like names and social security numbers in the wrong hands can be used to carry out cybercrimes like identity theft and phishing attacks.

As a precautionary measure, Flagstar said it would provide its customers with Kroll’s identity monitoring services at no cost for a period of two years. The services include credit monitoring, fraud consultation, and identity theft restoration. The bank’s notification includes information to help customers protect their personal data.

“As a precautionary measure, we recommend that you remain vigilant by reviewing your account statements, from us and others, and monitoring your credit reports closely,” the notification reads.

“If you detect any suspicious activity on any account or have reason to believe your information is being misused, you should promptly notify the financial institution or company with which the account is maintained. You should also promptly report any fraudulent activity or any suspected incidence of identity theft to proper law enforcement authorities, your state attorney general, and the Federal Trade Commission (“FTC”),” it adds.

Banks Consistently Facing Cyber Threats

It is currently unclear how the threat actor gained access to Flagstar’s network. However, there is a worrying rise in the number of high-profile cyber threats against banks and other financial institutions. Flagstar was hit by a data breach earlier this year as well, when the notorious Cl0p ransomware gang hacked into a vulnerable server.

In April, security researchers discovered an ongoing Remote Access Trojan campaign against banks in Africa. Just last week, a U.S. court convicted a former Amazon employee for hacking into Capital One bank in 2019.

Countries have also been quick to respond and take precautionary measures to protect financial institutions. Singapore’s banking regulator, the MAS, recently released a set of cybersecurity measures to improve cybersecurity in digital banking and tackle financial scams.

If you’re concerned about your finances, check out our guide on safe online banking which details the common threats to watch out for, and tips to help protect yourself.

Technology policy researcher
Prateek is a technology policy researcher with a background in law. His areas of interest include data protection, privacy, digital currencies, and digital literacy. Outside of his research interests, Prateek is an avid reader and is engaged in projects on sustainable farming practices in India.