One of America’s largest banks has suffered a major data breach impacting more than 1.5 million customers.
Michigan-headquartered Flagstar Bank generates annual revenues in excess of $1.6bn and describes itself as the country’s sixth-largest bank mortgage originator.
Its data breach notification letter revealed the firm experienced unauthorized access to its network several months ago.
“After an extensive forensic investigation and manual document review, we discovered on June 2, 2022 that certain impacted files containing your personal information were accessed and/or acquired from our network between December 3, 2021 and December 4, 2021,” it noted.
“We have no evidence that any of the information has been misused. Nevertheless, out of an abundance of caution, we want to make you aware of the incident.”
However, the letter, published on the Maine Attorney General’s Office website, lacked detail of exactly what information was taken. A separate entry on the site revealed that the incident impacted nearly 1.6 million individuals and the info acquired was “name or other personal identifier in combination with Social Security number.”
It’s unclear why it took the bank the best part of six months to detect the incident. According to Mandiant, 60% of intrusions last year were detected by the victim organizations themselves, which helps to reduce dwell time and financial/reputational damage.
This isn’t the first time Flagstar has been compromised in recent memory. It was one of the many victims of the Accellion campaign in which unpatched vulnerabilities in the vendor’s legacy FTA file transfer were exploited to steal and ransom corporate documents.
Keith Neilson, technical evangelist at CloudSphere, argued that asset management is the first step towards improved visibility and attack surface management.
“Financial institutions are entrusted with large volumes of sensitive customer information and have a responsibility to maintain proper security guardrails,” he added.
“A breach of this scale can impact not only the targeted organization and its customers, but also its business partners. As key targets for malicious actors, a financial institution’s reputation depends largely on its ability to ensure all data remains secure.”