Flagstar Bank, a prominent Michigan-based financial services provider, has warned 837,390 of its US customers about a data breach that occurred through a third-party service provider, Fiserv.
The breach exposed the personal information of a substantial number of customers. It was traced back to vulnerabilities in MOVEit Transfer, a file transfer software used by Fiserv for payment processing and mobile banking services.
The unauthorized activity occurred between May 27 and 31 2023, before the vulnerability was publicly disclosed, allowing threat actors to access and obtain customer information, including names and other data elements.
“Rigid due diligence, robust cybersecurity policies and real-time monitoring of third-party vendors are no longer a good idea but are necessary programs to reduce the risk of these cyber breaches,” commented James McQuiggan, security awareness advocate at KnowBe4.
“This attack demonstrates that an organization’s security is only as strong as its third or fourth party’s weakest security program.”
In a notice sent to customers, Flagstar Bank said it acted promptly upon discovering the breach. Their vendor initiated a comprehensive investigation, identified affected individuals and notified regulatory bodies as required. The technical vulnerabilities were promptly remediated, following MOVEit software provider guidelines.
Read more on the MOVEit vulnerability: Critical Zero-Day Flaw Exploited in MOVEit Transfer
To support affected customers, Flagstar Bank has been providing complimentary identity monitoring services through Kroll for two years. This includes credit monitoring, fraud consultation and identity theft restoration.
The company also recommended that all affected individuals remain vigilant, monitor their credit history, review account statements and report any suspicious activity to financial institutions.
“The MOVEit Transfer security flaw is the gift that keeps on giving for hackers. This time around, it looks like the bad guys were able to steal customer and employee information, including names, addresses, phone numbers, tax records and SSNs,” said Chris Hauk, consumer privacy advocate at Pixel Privacy.
“Customers of this bank [...] will want to keep a close eye on all of their accounts, take advantage of the inevitable free credit monitoring, and they should stay alert for possible phishing attempts.”
The incident marks the third significant cybersecurity breach for Flagstar Bank since 2021. The first breach happened in March 2021 when the Clop ransomware group reportedly pilfered customers’ personal data.
A second breach occurred on December 3 and 4 2021, affecting Flagstar Bank’s corporate network and impacting nearly 1.5 million US clients.
Editorial image credit: Michael Vi / Shutterstock.com