Flagstar Bank, a leading financial institution headquartered in Michigan, has issued a warning to 837,390 of its customers in the United States regarding a data breach linked to a third-party service provider, Fiserv.
Did You Receive A Flagstar Bank Notice Letter?
The breach exposed the personal information of a significant number of Flagstar’s customers, with the incident traced back to vulnerabilities in MOVEit Transfer, a file transfer software used by Fiserv for payment processing and mobile banking services.
“The MOVEit Transfer security flaw is the gift that keeps on giving for hackers. This time around, it looks like the bad guys were able to steal customer and employee information, including names, addresses, phone numbers, tax records and SSNs,” said Chris Hauk, consumer privacy advocate at Pixel Privacy.
The unauthorized activity took place between May 27 and 31, 2023, occurring before the vulnerability was publicly disclosed. This allowed threat actors to gain access to and obtain sensitive customer information, including names and various data elements.
James McQuiggan, a security awareness advocate at KnowBe4, emphasized the importance of robust cybersecurity practices for organizations. He stated, “Rigid due diligence, robust cybersecurity policies and real-time monitoring of third-party vendors are no longer a good idea but are necessary programs to reduce the risk of these cyber breaches. This attack demonstrates that an organization’s security is only as strong as its third or fourth party’s weakest security program.”
Upon discovering the breach, Flagstar Bank took immediate action. Their third-party vendor, Fiserv, launched a comprehensive investigation, identified the affected individuals, and complied with regulatory reporting requirements. The technical vulnerabilities that led to the breach were promptly addressed following guidelines from the MOVEit software provider.
To support customers impacted by this breach, Flagstar Bank has been providing complimentary identity monitoring services through Kroll for a period of two years. This service includes credit monitoring, fraud consultation, and identity theft restoration.
Flagstar Bank has also advised all affected individuals to remain vigilant and actively monitor their credit history, review account statements, and promptly report any suspicious activity to their financial institutions.
This incident serves as a stark reminder of the evolving threats in the digital landscape and the critical need for organizations to enhance their cybersecurity measures and closely monitor the security practices of third-party vendors.