Data breach at Flagstar affects over 1.5 million customers

Flagstar says that no proof has been found that any of the records acquired within the breach has been misused. The financial institution has employed the worldwide representative Kroll to assist in the aftermath of the breach.

“Nevertheless, out of an abundance of caution we have secured the services of Kroll to provide identity monitoring at no cost to you for two years,” the bank told its clients.

The breach reportedly took place between December 3 and December 4 of 2021 and it, impacted 1,547,169 clients, according to records the financial institution handed over to the Attorney General's office in Maine.

“Given the amount of personal data – not to mention money – involved in the financial services sector, it isn’t surprising to see institutions such as Flagstar continuing to face an onslaught of cybersecurity threats and attacks,” Lisa Plaggemier, executive director at the National Cybersecurity Alliance said. “In addition, this incident goes to show that cybersecurity is not just a one-time fix type of issue as this is the second time that Flagstar has fallen victim to cybercriminals in as many years.”

Plaggmerier says that it took six months for Flagstar to inform clients which indicates the breach underscores the "importance of developing further reporting regulation and collaboration between the private and public sectors,” 

Flagstar’s hack comes as regulators tighten the reporting timeline for banks that wind up becoming cybersecurity breach victims.

In a ruling that took effect in May, the Federal Deposit Insurance Corp. (FDIC), the Office of the Comptroller of the Currency (OCC) and the Federal Reserve now require banks to inform their number one federal regulator in 36 hours of figuring out whether or not a “significant computer-security incident” should disrupt enterprise or the stableness of the financial sector.

The rule, which stems from an offer the FDIC and OCC first proposed in December 2020, includes a particular timeline to 15-year-old guidelines that tell banks to inform their number primary regulator “as soon as possible” about occurrences of unauthorized entry to touchy client data.