Bank Breach Compromises 1.5 million Social Security Numbers

Flagstar Bank Breach Compromises 1.5 million Social Security Numbers

More than 1.5 million Flagstar Bank customers were notified through a letter sent out on June 17th, 2022 that their Social Security numbers had been compromised. Flagstar, one of the country’s largest banks, based in Troy, Michigan, submitted a letter to the Office of the Attorney General, State of Maine alerting them to the incident as well. According to the bank, the attack took place during the dates of December 3rd and December 4th, 2021. Flagstar said there is no evidence that any of the information obtained in the breach has been used by the attackers. This attack comes a year after a prior incident that also included Social Security numbers plus other sensitive data such as tax records and contact information. A ransomware gang known as Clop exploited a zero-day vulnerability to gain access to the bank’s network and was announced to the public in March 2021.

Flagstar has not provided details regarding how they learned of the December attack but reports that the bank acted immediately upon discovery. After suppressing the attack and cleansing the infected systems, an extensive forensic investigation and document review was conducted for nearly six months. On June 2nd, the investigation determined that the personal data of 1,547,169 individuals was stolen.

According to a company spokesperson, Flagstar responded to the breach immediately upon its discovery and was able to contain it. 

As part of its incident response plan (IRP), it attained the services of an experienced third-party cybersecurity firm with experience in ransomware attacks. They also notified federal law enforcement about the incident. In coordination with the announcement, Flagstar contracted with a firm to provide free identity monitoring services to all those affected by the breach for a period of 24 months.

A class action suit has been filed that alleges that Flagstar failed to properly safeguard the personal identifiable information (PII). The suit claims that the unnecessary delay in contacting those whose information was stolen left them exposed without knowledge or resources. The suit is seeking funds to finance credit monitoring for their respective lifetimes of all those affected by the breach. The suit also states that Flagstar has failed to disclose the root cause of the breach and how the information was accessed. It accuses Flagstar of failing to take proper security measures following the attack in 2020, which may have made the latest attack possible.

With the rise of cybercrime, every organization should have a well-designed incident response plan. One of the initial critical decisions that should be outlined in the IRP is whether to involve law enforcement. Many cyber insurance companies require this notification to remain covered under a policy.

For businesses and organizations in the U.S., any incident should be reported to one of these three organizations: The FBI, the Cybersecurity and Infrastructure Security Agency (CISA) or the U.S. Secret Service. You can also contact local law enforcement that can help assist in this task. CISA offers an easy-to-use portal site for reporting a cybersecurity incident. 

When reporting an incident, investigators find the following information helpful, and you should have this ready:

• Provide a list of details such as how the incident was discovered.

• How you believe the attack was initiated.

• What actions were taken to contain the incident to date.

• If demanded, any amount of ransom.

Be prepared to provide a brief background of your business, a summary of how the attack has affected its operations.

Ensure your Incident Response Readiness (IRR) in the event of attack. Review your security and risk profile.