Flagstar Bank, a prominent Michigan-based financial services provider, has warned 837,390 of its US customers about a data breach that occurred through a third-party service provider, Fiserv.
The breach exposed the personal information of a substantial number of customers. It was traced back to vulnerabilities in MOVEit Transfer, a file transfer software used by Fiserv for payment processing and mobile banking services.
The unauthorized activity occurred between May 27 and 31 2023, before the vulnerability was publicly disclosed, allowing threat actors to access and obtain customer information, including names and other data elements.
In a notice sent to customers, Flagstar Bank said it acted promptly upon discovering the breach. Their vendor initiated a comprehensive investigation, identified affected individuals, and notified regulatory bodies as required. The technical vulnerabilities were promptly remediated, following MOVEit software provider guidelines.
To support affected customers, Flagstar Bank has been providing complimentary identity monitoring services through Kroll for two years. This includes credit monitoring, fraud consultation and identity theft restoration.
The company also recommended that all affected individuals remain vigilant, monitor their credit history, review account statements and report any suspicious activity to financial institutions.
The incident marks the third significant cybersecurity breach for Flagstar Bank since 2021. The first breach happened in March 2021 when the Clop ransomware group reportedly pilfered customers’ personal data.A second breach occurred on December 3 and 4 2021, affecting Flagstar Bank’s corporate network and impacting nearly 1.5 million US clients.