Flagstar Bank, recently acquired by New York Community Bank, has issued a warning to over 800,000 U.S. customers regarding a significant data breach. The Flagstar Bank data breach occurred through a third-party service provider, Fiserv, which Flagstar uses for payment processing and mobile banking services. Fiserv was targeted in the widespread CLOP MOVEit Transfer data theft attacks that affected millions of individuals and thousands of organizations globally. The attackers exploited a zero-day vulnerability in MOVEit Transfer to access Fiserv's systems and subsequently stole customer data held by the vendor to provide services to Flagstar.
While specific details of the compromised data have been redacted in the breach notification letters, the entry on Maine's data breach portal revealed that names and Social Security Numbers (SSNs) were among the stolen information. In total, 837,390 Flagstar Bank customers in the United States were impacted by this breach.
Notably, this incident marks the third breach for Flagstar in just two years. In March 2021, the bank disclosed a breach resulting from the Clop ransomware gang's attack on its Accellion file transfer server. In June 2022, Flagstar reported another breach of its corporate network that affected over 1.5 million customers in the U.S.
The latest breach raises concerns not only for Flagstar but also for the numerous banks that rely on Fiserv's services. Fiserv has faced previous security issues that indirectly exposed its client banks and their customers. The extent of the breach's impact on other financial institutions remains unclear.
James McQuiggan, Security Awareness Advocate at KnowBe4, commented:
"This narrative of the MOVE-IT data breach is being replayed across boardrooms as the aftershocks of third-party vendor vulnerabilities continue to haunt organizations. This incident highlights the imperative for an enhanced cybersecurity framework within organizations and extending into the broader networks of third-party arrangements. Rigid due diligence, robust cybersecurity policies, and real-time monitoring of third-party vendors are no longer a good idea but are necessary programs to reduce the risk of these cyber breaches. This attack demonstrates that an organization's security is only as strong as its third or fourth party's weakest security program." ###