The US-based bank Flagstar has recently suffered a data breach that has impacted over 800,000 customers. Many of them have had their personal information compromised as a result of the data breach.
Flagstar Bank has previously experienced data breaches, and this is not the first of its kind. Below, we have explained what happened in more detail.
The MOVEit Transfer Software
Over 800,000 customers’ personal information was compromised in a data breach impacting Fiserv, a third-party vendor used by Flagstar Bank for transaction processing and mobile banking services. This marks the third time in less than two years that Flagstar has suffered a data breach exposing customer information.
The Michigan-based bank sent breach notification letters on October 6th stating that prior to its acquisition by New York Community Bank in 2022, it utilized Fiserv for key banking services. Fiserv was one of many organizations affected by a major security vulnerability disclosed earlier this year in a file transfer software called MOVEit Transfer.
The Attackers Exploited MOVEit’s Flaw to Access Flagstar’s Customer Data
According to Flagstar's notice, hackers exploited vulnerabilities in MOVEit Transfer between May 27-31, 2023 to gain unauthorized access to Fiserv's systems.
During this window of compromise, the attackers were able to access files containing sensitive Flagstar customer data. The exposed information included names, home addresses, phone numbers, tax records, and social security numbers of individuals with accounts at the bank.
This latest MOVEit breach provides further evidence that the file transfer software has become a goldmine for hackers. Cybersecurity experts say vulnerabilities in MOVEit have likely impacted thousands of organizations and exposed data on tens of millions of individuals so far. They expect additional breaches will come to light in the coming months.
Previous Flagstar Breaches Linked to File Transfer Hacks
As mentioned above, this is not the first time Flagstar Bank has suffered a data breach. The first breach that happened in early 2021 was also a result of vulnerabilities in file transfer software.
The first breach occurred when the infamous Clop ransomware gang exploited flaws in Accellion's file transfer product to steal troves of sensitive customer data from Flagstar before extorting the bank.
Just over a year later in June 2022, Flagstar disclosed that a second file transfer breach impacted over 1.5 million customers. Together, these attacks compromised highly sensitive information like Social Security Numbers, driver's license numbers, bank account details and more.
Flagstar repeatedly put vast amounts of customer data at risk by using flawed file transfer systems. You might expect that after the first breach, the bank would have strengthened their security and implemented stricter controls around access to sensitive information, but this was clearly not the case.
This clearly suggests that the bank does not take its own and its third-party vendors’ cybersecurity seriously. However, things are starting to change.
Investigation Efforts and Free Monitoring for Impacted Customers
Flagstar stated in its breach notice that upon learning of the incident, it immediately launched an investigation in coordination with Fiserv. Fiserv claims it has now patched all known vulnerabilities in MOVEit and hardened their systems according to the software provider's security recommendations.
To help impacted customers monitor for fraud, Flagstar is offering complimentary credit monitoring services for two years through Kroll.
Customers are advised to closely scrutinize bank statements and credit reports for any suspicious activity. If you have been affected, you may receive phishing emails and links. We recommend installing an antivirus such as TotalAV and not opening any link unless you know it’s absolutely legit.
Flagstar Needs to Improve Its Third-party Risk Management
Cybersecurity experts say the repeated breaches at Flagstar demonstrate the critical importance of rigorous third-party risk management programs. Financial institutions and organizations across multiple industries rely heavily on third-party providers like Fiserv for important services that often deal with very sensitive data.
However, this dependence creates substantial security risks if the vendors have security flaws or fail to adequately safeguard sensitive data.
It’s essential that financial institutions do proper research when selecting a third-party firm to carry out important tasks. They should also have contracts in place that force these third-party firms to improve their cybersecurity standards and be held accountable if anything happens to their customers’ data.
Adopting Data-Centric Security Strategies
Flagstar needs to adopt more data-centric security strategies. This involves placing focus on protecting sensitive customer data itself, rather than just securing network perimeters and access points. Advanced data security technologies like encryption and tokenization can help keep critical data secure, even if it falls into the wrong hands.
While Flagstar and Fiserv work to investigate the breach and prevent future attacks, impacted customers have a long road of monitoring ahead to protect themselves against fraud. The repeated breaches show Flagstar and other financial institutions still have a long way to go in improving their cyber security and keeping customer data safe.