Flagstar Financial institution is warning that over 800,000 US prospects had their private data stolen by cybercriminals as a consequence of a breach at a third-party service supplier.
Flagstar, now owned by the New York Group Financial institution, is a Michigan-based monetary providers supplier that, earlier than its acquisition final yr, was one of many largest banks in the USA, having whole belongings of over $31 billion.
A information breach notification despatched to impacted prospects explains that Flagstar was not directly impacted by Fiserv, a vendor it makes use of for fee processing and cellular banking providers.
Fiserv was breached within the widespread CLOP MOVEit Switch information theft assaults which have impacted over 64 million folks and two thousand organizations worldwide, in line with a report by Emsisooft.
The attackers exploited a zero-day vulnerability within the MOVEit Switch product to entry Fiserv’s programs and, from there, stole Flagstar buyer information the seller held to offer providers.
The forms of information that had been compromised are redacted within the pattern information breach notification letters. Nonetheless, the entry on Maine’s information breach portal lists a minimum of names and Social Safety Numbers (SSNs) as stolen by the menace actors.
The entire variety of Flagstar Financial institution prospects impacted by this incident is 837,390 in the USA.
A 3rd breach in two years
This newest breach is the third for Flagstar since March 2021, when it disclosed it suffered a breach from the Clop ransomware gang, who, at the moment, hacked its Accellion file switch server in January of that yr.
Primarily based on the information samples posted by the ransomware gang, the hackers managed to steal buyer and worker data, together with names, addresses, cellphone numbers, tax information, and SSNs.
In June 2022, Flagstar disclosed one other breach of its company community that impacted over 1.5 million of its prospects within the U.S.
The info compromised in that incident consists of a minimum of names and Social Safety Numbers. On the time, the corporate opted once more to censor the related part on the printed notification samples.
What’s extra worrying is that Fiserv gives providers to a whole lot of banks, which it has not directly uncovered prior to now as a consequence of different safety lapses.
BleepingComputer has contacted Fiserv to ask if the MOVEit breach impacts extra monetary establishments and their prospects, and we are going to replace this publish as quickly as we obtain a response.