The U.S. financial service provider Flagstar Bank has notified more than 1.5 million customers of a data breach in which Social Security numbers were stolen.
The Michigan-headquartered Flagstar revealed that hackers breached its corporate network between December 3 and December 4, 2021, and in June 2022 discovered that the threat actors accessed sensitive customer details.
“Flagstar recently experienced a cyber incident that involved unauthorized access to our network,” the company said in the letter. “Upon learning of the incident, we promptly activated our incident response plan, engaged external cybersecurity professionals experienced in handling these types of incidents and reported the matter to federal law enforcement.”
It is unclear, however, why it took almost six months for Flagstar to detect the data breach. Also, we have yet to learn which of its systems were breached, though we do know that the incident affected 1,547,169 people in the United States — based on information submitted to the Office of the Maine Attorney General.
To make things slightly worse, this is not the first time Flagstar has been compromised. In January 2021, the company became one of the many victims of the Accellion hack that saw vulnerabilities in the vendor’s legacy file transfer appliance (FTA) exploited to steal corporate documents. In the case of Flagstar, hackers managed to steal the customers’ names, Social Security numbers, addresses, tax records and phone numbers.
The Accellion breach — which has since been linked to the notorious Clop ransomware gang — also affected Morgan Stanley, cybersecurity firm Qualys and grocery giant Kroger.
There is little we, as individuals, can do to protect our personal information in incidents like this one. We can do our part not to fall victims to phishing scams and to keep away from other malware on the Internet. In that sense, you should use a good antivirus and, of course, a VPN. And you know where to go to find the latter, right?