Flagstar Bank, which operates 150 branches across 28 states in the US, released details this month of a hacking incident resulting in the personal details of over 1.5 million customers being stolen.
As The Register reports(Opens in a new window), the bank’s computer system was compromised last December, but the bank didn’t realize it had been hacked until this month (June 2). On further investigation, it was discovered “at least” the names and social security numbers of 1,547,169 people in the US had been taken.
In a letter(Opens in a new window) (PDF) to customers sent out on June 17 alongside a “How to Protect Your Information” post(Opens in a new window) on its website, Flagstar said it has now hired “external cybersecurity professionals” and reported the incident to federal law enforcement. The personal details of customers were accessed between Dec. 3-4 last year, meaning there has been plenty of time for them to be misused for identity theft. Flagstar states it has no evidence of that, though.
Flagstar is offering affected customers two years of identity monitoring through Kroll, which will include credit monitoring, fraud consultation, and identity theft restoration services if necessary. The bank also included a “steps you can take” guide with the letter to help customers check their accounts for suspicious activity going forward.
Recommended by Our Editors
If being hacked and not realizing for months wasn’t bad enough, this isn’t the first time Flagstar has had its systems compromised. A much larger security breach occurred in late 2020 impacting more than 100 companies, one of which was Flagstar. It resulted in Flagstar being sued by its customers, paying out $5.9 million to settle the lawsuit, and agreeing to enhance its risk management and data privacy practices. Clearly those enhancements need further enhancing.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.