Flagstar Bank, one of the largest banks in the United States, is alerting its customers about a data breach that has exposed personal customer information. The breach occurred through a third-party vendor, Fiserv, which Flagstar uses for transaction processing and mobile banking services. The incident is connected to the mass MOVEit file transfer hack that has affected numerous organizations.
Flagstar Bank, prior to its acquisition by New York Community Bank in 2022, had assets worth over $31 billion. The bank is now in the process of notifying over 800,000 customers about the breach that has impacted Fiserv, marking the third breach suffered by Flagstar since 2021.
The consumer notification letter sent by Flagstar states that vulnerabilities were found in MOVEit Transfer, a file transfer software used by Fiserv to support services provided to Flagstar and its related institutions. The breach in question occurred between May 27-31, 2023, before the public disclosure of the MFT vulnerability. As a result, unauthorized actors gained access to Fiserv’s systems and obtained files related to Flagstar Bank and its customers.
The extent of the stolen information is alarming, with customer and employee data such as names, addresses, phone numbers, tax records, and SSNs being compromised. This puts affected customers at risk of identity theft and other malicious activities. Experts are urging customers to closely monitor their accounts, take advantage of free credit monitoring services, and stay alert for potential phishing attempts.
James McQuiggan, a Security Awareness Advocate, emphasizes the importance of robust cybersecurity frameworks within organizations and extended networks of third-party vendors. He highlights the need for thorough due diligence, strong cybersecurity policies, and real-time monitoring of vendors to reduce the risk of cyber breaches.
Interestingly, this is not the first time Flagstar has experienced a data breach related to file transfer. The earlier breaches occurred in March 2021 and June 2022, affecting millions of American customers. However, it seems that both Flagstar and Fiserv are treating this third breach with utmost seriousness. An immediate investigation was launched, and remediation actions were taken to patch vulnerabilities and strengthen systems according to industry guidelines.
Flagstar bank has also arranged for affected customers to receive a complimentary two-year identity monitoring service through Kroll, indicating their commitment to addressing the consequences of the breach and protecting customer interests. Cybersecurity experts underline the need for financial institutions to assess the security posture of their vendors, conduct due diligence, and establish strict contractual obligations for data protection.
They also suggest investing in data-centric security, an approach that focuses on securing the data itself rather than just perimeter or access points. By protecting the data wherever it resides, whether in the organization’s network or when shared with third parties, it ensures that even in the event of a third-party breach, the stolen data remains incomprehensible and useless to malicious actors.
Customers of Flagstar Bank are advised to monitor their credit reports for suspicious activity, review their accounts for unfamiliar transactions, and take advantage of the offered credit monitoring services. Placing a fraud alert on their credit reports is also recommended. With Social Security numbers compromised in the breach, affected customers must remain vigilant and file their taxes early to avoid potential tax fraud.
The industry experts interviewed in relation to this breach express concerns that similar incidents related to MOVEit may occur in the future. This highlights the need for continuous efforts to enhance cybersecurity measures and protect sensitive data from potential breaches.