Flagstar Financial institution is warning that over 800,000 US clients had their private data stolen by cybercriminals resulting from a breach at a third-party service supplier.
Flagstar, now owned by the New York Group Financial institution, is a Michigan-based monetary companies supplier that, earlier than its acquisition final 12 months, was one of many largest banks in the USA, having whole belongings of over $31 billion.
A data breach notification despatched to impacted clients explains that Flagstar was not directly impacted by Fiserv, a vendor it makes use of for cost processing and cell banking companies.
Fiserv was breached within the widespread CLOP MOVEit Switch knowledge theft assaults which have impacted over 64 million folks and two thousand organizations worldwide, in keeping with a report by Emsisooft.
The attackers exploited a zero-day vulnerability within the MOVEit Switch product to entry Fiserv’s methods and, from there, stole Flagstar buyer knowledge the seller held to supply companies.
The kinds of knowledge that have been compromised are redacted within the pattern data breach notification letters. Nonetheless, the entry on Maine’s data breach portal lists not less than names and Social Safety Numbers (SSNs) as stolen by the menace actors.
The whole variety of Flagstar Financial institution clients impacted by this incident is 837,390 in the USA.
A 3rd breach in two years
This newest breach is the third for Flagstar since March 2021, when it disclosed it suffered a breach from the Clop ransomware gang, who, at the moment, hacked its Accellion file switch server in January of that 12 months.
Based mostly on the information samples posted by the ransomware gang, the hackers managed to steal buyer and worker data, together with names, addresses, telephone numbers, tax information, and SSNs.
In June 2022, Flagstar disclosed one other breach of its company community that impacted over 1.5 million of its clients within the U.S.
The info compromised in that incident consists of not less than names and Social Safety Numbers. On the time, the corporate opted once more to censor the related part on the revealed notification samples.
What’s extra worrying is that Fiserv presents companies to tons of of banks, which it has not directly uncovered previously resulting from different security lapses.
BleepingComputer has contacted Fiserv to ask if the MOVEit breach impacts extra monetary establishments and their clients, and we’ll replace this submit as quickly as we obtain a response.
