Flagstar Bank suffers third data breach collectively impacting millions

In data breach notification letters, Flagstar Bank warned over 800,000 US customers that their personal information may have been stolen after a breach at Fiserv, a third-party service provider it uses for payment processing and mobile banking services.

The attackers exploited the MOVEit Transfer product vulnerability to access Fiserv’s systems and, from there, stole Flagstar customer data the vendor held, including names and SSNs.

This latest breach is the third for Flagstar since March 2021, when its Accellion file transfer server was hacked in January of 2022. Hackers managed to steal customer and employee information, including names, addresses, phone numbers, tax records, and SSNs.

Also, in June 2022, Flagstar disclosed a second breach of its corporate network that impacted over 1.5 million customers with compromised data including names and SSNs.

Unfortunately, Fiserv has also previously exposed customer data due to other security lapses, and, as Fiserv serves hundreds of banks, it is believed that more victims of this incident will surface.

Paul Valente, CEO & Co-Founder, VISO TRUST had this to say:
  “Attackers will target the weakest link in the chain, and in financial services, third parties are the weakest link.

   “The interconnected nature of the financial industry means that breaches at third-party providers, like MOVEit and Fiserv, can have cascading effects, impacting not only a single institution but potentially an entire sector. That’s why collective efforts and strategic automation and nth party intelligence are crucial in enhancing overall cybersecurity resilience.

   “This breach at Flagstar Bank underscores the paramount importance of a proactive and vigilant approach to third-party risk management. Security teams must go beyond the basics, delving deep into their environment, staying vigilant, and having a clear plan in place to respond swiftly to third-party-related issues. Automation and AI are powerful allies in this endeavor, enhancing the ability to detect and mitigate risks effectively in today’s ever-evolving threat landscape. This combination of human expertise and technological innovation is key to protecting customer data and maintaining trust in the digital age.”

Craig Harber, Security Evangelist: Open Systems follows with this:

   “Third party suppliers are critical to the operation of most modern businesses. Their systems are interconnected to form a trust relationship to prevent supply chain attacks, data breaches, and reputation damage. Unfortunately, the resulting ecosystem has become a favorite attack path for attackers to gain access to larger companies that tend to have larger budgets and more resources to invest in cybersecurity. In the most recent breach reported by Flagstar Bank, we see an example of how the attacker exploited the MOVEit Transfer product vulnerability in Fiserv’s system to access Flagstar customer data held by Fiserv. The impact on Flagstone’s customers and its brand highlights the importance of implementing third-party risk management to help mitigate undue risks and costs associated with third-party cyber risks.”

Clearly this bank needs a closer look given the fact that this isn’t their first rodeo in terms of getting pwned. In fact, I hope those in places like Congress ask this bank a lot of tough questions. Because three of these incidents is completely unacceptable.

UPDATE: Ted Miracco, CEO, Approov Mobile Security had this to say:

   “The possibility that the first data breach at Flagstar Bank may have facilitated the two subsequent breaches is a concerning issue. Employee data taken in the initial breach could potentially have provided valuable information and access points for the hackers in either or both of the later breaches. This highlights an important lesson for financial companies and organizations in general – breaches cannot be easily remediated once the first breach occurs. 

   “Flagstaff might also benefit by implementing more stringent contractual obligations regarding data protection to minimize the risk of breaches through third-party arrangements. There is a clear pattern here, and hopefully steps will be taken this time to avoid another breach at Flagstaff and at their third-party suppliers.”

Leave a Reply

%d bloggers like this: