Skip to main content
A white-haired woman looks at her computer with concern as she realizes her important online data was breached.

Flagstar Bank Data Breach Investigation | MOVEit

Flagstar, a commercial bank headquartered in Troy, Michigan, has once again announced a data breach that may have impacted tens of thousands of customers. On October 6, 2023, Flagstar filed a notice with the Attorney General of Maine notifying consumers of a third-party data breach that involved the MOVEit server of Fiserv, a third-party vendor.

The bank explains that the incident resulted in an unauthorized party being able to access consumers’ sensitive information, which includes names and Social Security numbers. The number of reported Flagstar Bank customers impacted by this newest incident is 837,390.

The Lyon Firm filed an unrelated class action data breach complaint against Flagstar in 2022 on behalf of a plaintiffs who alleges the bank failed to protect sensitive personal information of clients nationwide. 

Flagstar Bank is one of the largest residential mortgage servicers in the country. It was among the largest banks in the United States before an acquisition by New York Community Bank in late 2022.

Last year, over 1.5 million individuals may have been impacted by a security incident that compromised sensitive personal information. Many of the same individuals are likely affected, and it is not yet clear what information has been leaked in this most recent attack, but reports suggest Social Security numbers have been compromised.

What Happened?

Fiserv, a third party provider, was breached by the Clop ransomware group. Fiserv offers payment processing and mobile banking services to Flagstar Bank, it was the victim of the large-scale MOVEit campaign. Flagstar Bank has said, “Unauthorized activity in the MOVEit Transfer environment occurred between May 27 and 31, 2023, which was before the existence of this vulnerability was publicly disclosed. During that time, unauthorized actors obtained our vendor files transferred via MOVEit.”

The MOVEit transfer attack has impacted tens of millions of consumers worldwide, and the Fiserv breach is very concerning to other bank customers as it offers services to hundreds of banks, and has compromised data in the past in past IT security lapses.

Another Flagstar Data Breach?

This may sound like old news, but there has been a separate attack. In December 2021, Flagstar experienced a cyber incident that involved unauthorized access to their network. Flagstar started to investigate the data theft event with the assistance of third-party forensic experts and discovered on June 2, 2022 that certain impacted files containing personal information were accessed and/or acquired from their network between December 3, 2021 and December 4, 2021.

The more recent ransomware attack not only impacted banking customers as in the past but hundreds of organizations around the world.

The Lyon Firm has handled Flagstar claims in the past, and will do so again for victims and plaintiffs nationwide. Our lawyers can assist you in learning more about the ransomware attack and determining what your next steps should be to protect yourself from fraud and identity theft. Contact our attorneys today to learn about possible legal recourse.