Click to Skip Ad
Closing in...

This is some of the worst news that a bank customer can get after a hack

Published Mar 23rd, 2021 6:44PM EDT
Data breach
Image: Oleksii/Adobe

If you buy through a BGR link, we may earn an affiliate commission, helping support our expert product labs.

Earlier this month, the Michigan-based bank Flagstar disclosed that a security incident had occurred, following the hack by a group of ransomware attackers who exploited a bank vendor’s zero-day software vulnerability.

Now, it seems the incident was much worse than noted at the time. Personal information, including social security numbers of customers, bank employees, and even people with tenuous connections to the bank, were accessed as part of this data breach. That’s according to letters and communications from the bank that angry social media users have been sharing on Twitter. Flagstar’s webpage that was set up to explain what happened doesn’t mention the particulars, but the bank confirmed to at least one news outlet that a staggering amount of data may have been accessed — including SSNs, first and last names, phone numbers, and addresses.

“On March 6, 2021, we determined that one or more of the documents removed from the Accellion platform contained your Social Security Number, First Name, Last Name, Phone Number, Address,” Flagstar wrote in a letter to some customers shared via social media. “Out of an abundance of caution we have secured the services of Kroll to provide identity monitoring at no cost to you for two years.”

In a recap about what happened, penned by American Banker, the publication notes that the hackers exploited a flaw in the Fire Transfer Application software from Accellion that Flagstar was using to secure sensitive data. “We are seeing a clear trend of attacks on third-party suppliers, especially software vendors, to the financial sector as well as other industries,” Steve Silberstein, CEO of the Financial Services Information Sharing and Analysis Center, told the publication. “While financial services firms tend to have robust cybersecurity controls and defenses, third and fourth parties performing critical services for multiple valuable clients will continue to be lucrative targets for threat actors with a variety of motivations.”

Among other key details about this data breach:

  • The FTA software at issue here is reportedly 20 years old and was set to be wound down next month.
  • According to Brett Callow, a threat analyst at the threat investigation and anti-malware provider Emsisoft, the identity of the attackers is unclear.
  • A ransomware gang, per American Banker, did publish some of the data stolen in this data breach to the dark web. There was also a threat that more information would be published if the attackers weren’t paid a ransom.

One thing experts stress about events like this is that even though it was a third party with lax security that was taken advantage of, banks still have a first-party obligation to make sure their customers’ data isn’t being handled carelessly. You don’t say.

Andy Meek Trending News Editor

Andy Meek is a reporter based in Memphis who has covered media, entertainment, and culture for over 20 years. His work has appeared in outlets including The Guardian, Forbes, and The Financial Times, and he’s written for BGR since 2015. Andy's coverage includes technology and entertainment, and he has a particular interest in all things streaming.

Over the years, he’s interviewed legendary figures in entertainment and tech that range from Stan Lee to John McAfee, Peter Thiel, and Reed Hastings.

Latest News