Flagstar Bank, a Michigan-based financial services provider now owned by the New York Community Bank, has issued a warning regarding a significant data breach affecting over 800,000 of its US customers.
The breach occurred as a result of a cyberattack on a third-party service provider, Fiserv, which Flagstar utilizes for payment processing and mobile banking services. Fiserv itself fell victim to the widespread CLOP MOVEit Transfer data theft attacks, impacting millions of individuals and organizations globally.
Zero-day vulnerability
Exploiting a zero-day vulnerability in the MOVEit Transfer product, the attackers gained unauthorized access to Fiserv’s systems and subsequently obtained Flagstar customer data that was held by the vendor for service provision. The specific types of compromised data have been redacted in the breach notification letters, although the Maine data breach portal indicates that names and Social Security Numbers (SSNs) were among the stolen information.
The total number of affected Flagstar Bank customers in the US stands at 837,390. This incident marks the third breach for Flagstar since March 2021, when it disclosed a breach caused by the Clop ransomware gang’s attack on its Accellion file transfer server. At that time, the hackers successfully exfiltrated customer and employee data, including names, addresses, phone numbers, tax records, and SSNs.
In June 2022, Flagstar also reported another breach of its corporate network, impacting over 1.5 million US customers.The data compromised in that incident includes at least names and Social Security Numbers. At the time, the company opted again to censor the relevant section on the published notification samples.