Pierluigi Paganini October 09, 2023

Flagstar Bank announced a data breach suffered by a third-party service provider exposed the personal information of over 800,000 US customers.

Flagstar Bank is warning 837,390 US customers that their personal information was exposed after threat actors breached the third-party service provider Fiserv.

Flagstar Bank is an American commercial bank headquartered in Troy, Michigan, it is a wholly owned subsidiary of New York Community Bank. Flagstar is one of the largest residential mortgage servicers in the United States, and was among the largest banks in the United States prior to its acquisition in 2022.

Fiserv provides payment processing and mobile banking services to Flagstar Bank, it was the victim of the large-scale MOVEit campaign.

“The incident involved vulnerabilities discovered in MOVEit Transfer, a file transfer software used by our vendor to support services it provides to Flagstar and its related institutions.” reads the data breach notification sent to the impacted customers.

“Our vendor promptly launched an investigation into the nature and scope of the MOVEit vulnerability’s impact on its systems and discovered that the unauthorized activity in the MOVEit Transfer environment occurred between May 27 and 31, 2023, which was before the existence of this vulnerability was publicly disclosed. During that time, unauthorized actors obtained our vendor files transferred via MOVEit.”

The financial organization pointed out that the MOVEit flaw did not involve any of Flagstar Bank’s systems and did not impact its ability to service the customers.

Stolen files included Flagstar Bank and related institution customer information.

According to Resecurity, a Los Angeles-based cybersecurity provider, the data hasn’t been leaked in Dark Web yet, but offered for sale via private underground communities. It is expected the bad actors may monetize it at the bigger scale by selling personal identifiable information (PII) and payment data.

After Flagstar became aware of the data breach it launched an investigation into the incident to determine the scope of the security incident.

In June 2022, Flagstar Bank disclosed another data breach that impacted roughly 1.5 million individuals, but the company did not share details about the attack. The security breach took place in early December 2021.

On March 2021, the bank was the victim of another attack conducted by the Clop ransomware gang.

The hack resulted from the compromise of a file transfer service from Accellion that took place at the end of 2020. This security breach also impacted nearly 1.5 million customers of Flagstar.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)