Info on 1.5m people stolen from US bank in cyberattack

Time to rethink that cybersecurity strategy?


A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

"Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

"Upon learning of the incident, we promptly activated our incident response plan, engaged external cybersecurity professionals experienced in handling these types of incidents, and reported the matter to federal law enforcement," it continued. "We continue to operate all services normally."

The bank has offered affected customers identity theft protection services – which is entirely useful months after the information has been taken – and late last week mailed letters [PDF] notifying everyone who may have had their data stolen. "We have no evidence that any of the information has been misused," the letter stated.

Headquartered in Michigan, the bank and mortgage lender has more than 150 branches nationwide and home loan offices in 28 states.

Flagstar also suffered a security breach when, in late 2020, the Clop gang exploited a zero-day vulnerability in Accellion's legacy file-transfer appliance and siphoned data belonging to more than 100 organizations including Royal Dutch Shell, defense contractor Bombardier, and Flagstar. That attack exposed about 1.48 million customers' bank account information, Social Security numbers, passport data, and other private information.

Those customers sued the bank after that intrusion, and in September 2021, Flagstar agreed to pay $5.9 million to settle the lawsuit. Folks whose data was exposed were entitled to either three years of free credit monitoring services, or a payout between $99 and $316.

The bank also agreed to make "various enhancements" to its third-party vendor risk management program along with "other data privacy enhancements," according to court documents.

Plus, Flagstar agreed to monitor the dark web for any indications of people's personal data being sold, or other fraudulent activity related to the security breach.

In a statement provided to The Register following the latest breach disclosure, a spokesperson for the bank said: "We take the security of our network and the personal information entrusted to us with the utmost seriousness."

But after two significant data security breaches in less than two years, perhaps it's time for a fresh security strategy. ®


Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • OpenSea phishing threat after rogue insider leaks customer email addresses
    Worse, imagine someone finding out you bought one of its NFTs

    The choppy waters continue at OpenSea, whose security boss this week disclosed the NFT marketplace suffered an insider attack that could lead to hundreds of thousands of people fending off phishing attempts.

    An employee of OpenSea's email delivery vendor Customer.io "misused" their access to download and share OpenSea users' and newsletter subscribers' email addresses "with an unauthorized external party," Head of Security Cory Hardman warned on Wednesday. 

    "If you have shared your email with OpenSea in the past, you should assume you were impacted," Hardman continued. 

    Continue reading

Biting the hand that feeds IT © 1998–2022