Hackers stole Social Security numbers in Flagstar data breach affecting 1.5 million customers

Flagstar Bank, one of the largest financial service providers in the United States, has notified more than 1.5 million customers of a data breach in which Social Security numbers were stolen — its second incident in two years.

In a letter sent to those affected, Michigan-headquartered Flagstar revealed that hackers breached its corporate network between December 3 and December 4, 2021. After an investigation, the bank discovered on June 2, 2022 that the threat actors accessed sensitive customer details.

“Flagstar recently experienced a cyber incident that involved unauthorized access to our network,” the company said in the letter. “Upon learning of the incident, we promptly activated our incident response plan, engaged external cybersecurity professionals experienced in handling these types of incidents and reported the matter to federal law enforcement.”

It’s not clear why Flagstar took almost six months to detect the data breach. Flagstar spokesperson Susan Bergesen, when reached by email, declined to answer our questions, namely which of its systems were breached and the specific number of customers affected.

However, based on information submitted to the Office of the Maine Attorney General, the data breach affected 1,547,169 people in the United States.

This isn’t the first time Flagstar has been compromised. In January 2021, the company became one of the many victims of the Accellion hack that saw vulnerabilities in the vendor’s legacy file transfer appliance (FTA) exploited to steal corporate documents. In the case of Flagstar, stolen data included names, Social Security numbers, addresses, tax records and phone numbers.

The Accellion breach, which also claimed Morgan Stanley, cybersecurity firm Qualys and grocery giant Kroger as victims, has since been linked to the notorious Clop ransomware gang.