Dive Brief:
- More than 1.5 million of Flagstar Bank’s customers’ Social Security numbers were stolen after the bank suffered a data breach in early December, the Troy, Michigan-based financial institution disclosed on Friday.
- “After an extensive forensic investigation and manual document review, we discovered on June 2, 2022 that certain impacted files containing your personal information were accessed and/or acquired from our network,” the bank wrote in a letter to impacted customers.
- The breach is the second to impact the bank in less than two years. In January 2021, the bank notified customers it was one of the many companies impacted by the Accellion hack, according to TechCrunch.
Dive Insight:
Flagstar said it has no evidence that any of the information obtained in the breach has been misused. The bank has hired the global consultant Kroll in the aftermath of the breach.
“Nevertheless, out of an abundance of caution we have secured the services of Kroll to provide identity monitoring at no cost to you for two years,” the bank told customers.
The breach, which occurred between Dec. 3 and Dec. 4, impacted 1,547,169 customers, according to information the bank provided to the Office of the Maine Attorney General.
“Given the amount of personal data – not to mention money – involved in the financial services sector, it isn’t surprising to see institutions such as Flagstar continuing to face an onslaught of cybersecurity threats and attacks,” Lisa Plaggemier, executive director at the National Cybersecurity Alliance said. “In addition, this incident goes to show that cybersecurity is not just a one-time fix type of issue as this is the second time that Flagstar has fallen victim to cybercriminals in as many years.”
Flagstar’s cybersecurity issues illustrate the amount of work needed in order to shore up the financial services industry’s cybersecurity operations, Plaggemier said.
“Moreover, with it taking six months for Flagstar to notify customers, this incident further underscores the importance of developing further reporting regulation and collaboration between the private and public sectors,” she said. “If not, not only will customers remain at a heightened risk, but public confidence in both public and private cybersecurity will continue to wane.”
Flagstar’s hack comes as regulators tighten the reporting timeline for banks that become victims of a cybersecurity breach.
In a ruling that took effect in May, the Federal Deposit Insurance Corp. (FDIC), the Office of the Comptroller of the Currency (OCC) and the Federal Reserve now require banks to notify their primary federal regulator within 36 hours of determining whether a “significant computer-security incident” could disrupt business or the stability of the financial sector, the agencies said.
The rule, which stems from a proposal the FDIC and OCC first floated in December 2020, attaches a specific timeline to 15-year-old guidance instructing banks to notify their primary regulator "as soon as possible" about incidents of unauthorized access to sensitive customer data.