Earlier this month, the Michigan-based bank Flagstar disclosed that a security incident had occurred, following the hack by a group of ransomware attackers who exploited a bank vendor’s zero-day software vulnerability.
Now, it seems the incident was much worse than noted at the time. Personal information, including social security numbers of customers, bank employees, and even people with tenuous connections to the bank, were accessed as part of this data breach. That’s according to letters and communications from the bank that angry social media users have been sharing on Twitter. Flagstar’s webpage that was set up to explain what happened doesn’t mention the particulars, but the bank confirmed to at least one news outlet that a staggering amount of data may have been accessed — including SSNs, first and last names, phone numbers, and addresses.
“On March 6, 2021, we determined that one or more of the documents removed from the Accellion platform contained your Social Security Number, First Name, Last Name, Phone Number, Address,” Flagstar wrote in a letter to some customers shared via social media. “Out of an abundance of caution we have secured the services of Kroll to provide identity monitoring at no cost to you for two years.”
So @flagstar lost the personal information of my entire family to hackers. We all get letters on a Saturday when you can’t contact anyone. Although it won’t fix the issue, I will be looking for a new bank first thing Monday. 🤬
— Strawberry Moon (@StrawMoon1994) March 21, 2021
love to have your name, address, phone number, and ssn on documents uploaded to a file transfer platform that gets popped. i haven't even had a @flagstar acct in a decade, must be from getting put on my mother's acct a few years back. pic.twitter.com/MvUXkD7cD5
— Acting Deputy Secretary Kyle Lady (@kylelady) March 22, 2021
.@flagstar TFW a sketchy, incompetent bank I never wanted a relationship with gives my SSN and other personal info to criminals via a data breach. Isn’t protecting your customer’s personal information your most important responsibility? Not happy🤬😡😠 pic.twitter.com/L5mbpPlNxq
— Mark Frizzell (@marknocal) March 21, 2021
In a recap about what happened, penned by American Banker, the publication notes that the hackers exploited a flaw in the Fire Transfer Application software from Accellion that Flagstar was using to secure sensitive data. “We are seeing a clear trend of attacks on third-party suppliers, especially software vendors, to the financial sector as well as other industries,” Steve Silberstein, CEO of the Financial Services Information Sharing and Analysis Center, told the publication. “While financial services firms tend to have robust cybersecurity controls and defenses, third and fourth parties performing critical services for multiple valuable clients will continue to be lucrative targets for threat actors with a variety of motivations.”
Among other key details about this data breach:
- The FTA software at issue here is reportedly 20 years old and was set to be wound down next month.
- According to Brett Callow, a threat analyst at the threat investigation and anti-malware provider Emsisoft, the identity of the attackers is unclear.
- A ransomware gang, per American Banker, did publish some of the data stolen in this data breach to the dark web. There was also a threat that more information would be published if the attackers weren’t paid a ransom.
One thing experts stress about events like this is that even though it was a third party with lax security that was taken advantage of, banks still have a first-party obligation to make sure their customers’ data isn’t being handled carelessly. You don’t say.
