Security

Flagstar Bank customer data, records breached in Accellion hack

March 8, 2021

Flagstar Bank was breached due to an Accellion software zero-day vulnerability. The bank, headquartered in Michigan, is a Flagstar Bancorp subsidiary and provides mortgages and financial services to U.S. customers, according to a ZDNet report.

Flagstar Bank, in a posting on its website, stated Accellion first informed the company of a security issue on January 22, 2021.

Accellion's file-sharing program, File Transfer Appliance, is an enterprise product used to transfer large files. Although discontinued and supplanted by other software, a zero-day vulnerability in the software was found in December and has since been exploited by attackers in the wild. Reported victims include Qualys, the Reserve Bank of New Zealand, the Australian Securities and Investments Commission and Transport for New South Wales.

In an email sent to a customer on March 6, and viewed by ZDNet, the company said it "acted immediately to contain the threat and have engaged a team of third-party forensic experts to investigate and determine the full scope of this incident."

Flagstar Bank stated operations were not impacted and the Accellion platform was "segmented" from other network elements such as core banking and mortgage systems.

The financial organization has not revealed how many customers or records may have been compromised. The bank said it will contact potential customers impacted and provide information regarding free credit monitoring services. Kroll has been hired to provide free credit monitoring tools.

According to ZDNet, when a customer asked why Flagstar Bank only reached out now, although they were aware of the security issue in January, the company apologized and said it "understood (everyone's) frustration."