Flagstar Financial institution is warning that over 800,000 US prospects had their private data stolen by cybercriminals because of a breach at a third-party service supplier.
Flagstar, now owned by the New York Neighborhood Financial institution, is a Michigan-based monetary providers supplier that, earlier than its acquisition final 12 months, was one of many largest banks in america, having complete property of over $31 billion.
A knowledge breach notification despatched to impacted prospects explains that Flagstar was not directly impacted by Fiserv, a vendor it makes use of for fee processing and cell banking providers.
Fiserv was breached within the widespread CLOP MOVEit Switch knowledge theft assaults which have impacted over 64 million individuals and two thousand organizations worldwide, in keeping with a report by Emsisooft.
The attackers exploited a zero-day vulnerability within the MOVEit Switch product to entry Fiserv’s methods and, from there, stole Flagstar buyer knowledge the seller held to supply providers.
The sorts of knowledge that have been compromised are redacted within the pattern knowledge breach notification letters. Nonetheless, the entry on Maine’s knowledge breach portal lists no less than names and Social Safety Numbers (SSNs) as stolen by the risk actors.
The overall variety of Flagstar Financial institution prospects impacted by this incident is 837,390 in america.
A 3rd breach in two years
This newest breach is the third for Flagstar since March 2021, when it disclosed it suffered a breach from the Clop ransomware gang, who, at the moment, hacked its Accellion file switch server in January of that 12 months.
Based mostly on the info samples posted by the ransomware gang, the hackers managed to steal buyer and worker data, together with names, addresses, cellphone numbers, tax data, and SSNs.
In June 2022, Flagstar disclosed one other breach of its company community that impacted over 1.5 million of its prospects within the U.S.
The info compromised in that incident contains no less than names and Social Safety Numbers. On the time, the corporate opted once more to censor the related part on the revealed notification samples.
What’s extra worrying is that Fiserv affords providers to a whole lot of banks, which it has not directly uncovered up to now because of different safety lapses.
BleepingComputer has contacted Fiserv to ask if the MOVEit breach impacts extra monetary establishments and their prospects, and we’ll replace this publish as quickly as we obtain a response.
