Cyberattack in 2021 leads to Flagstar facing a hefty fine of $3.5M due to deceptive practices
Flagstar Bank Suffers Multiple Cyberattacks, Exposing Data of Millions
Flagstar Bank, a prominent financial institution, has been hit by a series of significant cyberattacks since 2021, compromising the sensitive data of over 2 million customers.
Details of the Breaches
- June 2022 Breach (Second Attack Since 2021): In a devastating turn of events, Flagstar Bank suffered a data breach that compromised the personal information of approximately 1.5 million customers. The stolen data included Social Security numbers, banking details, and personal information such as names, addresses, and birthdays. The breach is believed to have occurred around December 2021, and the bank initiated incident response protocols, advising customers to monitor their credit for suspicious activity [1].
- Third Breach Impacting 800,000 Customers (Reported mid-2025): Another significant breach occurred involving a third-party service provider, leading to the theft of personal information of over 800,000 customers. This incident is likely connected to a MOVEit Transfer data-theft attack, a vulnerability exploited in recent years affecting multiple financial institutions [3].
- Accellion Incident: While Flagstar Bank was mentioned in reports of multiple cyberattacks on financial institutions, specific details about an Accellion breach directly affecting Flagstar were not explicitly outlined in the provided sources. However, given the bank’s history of incidents and the common exploitation of Accellion and MOVEit vulnerabilities by cybercriminals in the financial sector, it is plausible that some of Flagstar’s breaches involved these platforms, particularly external service providers [3].
- MOVEit Breach: Flagstar Bank was also affected by the 2023 breach of file transfer system MOVEIt, impacting about 837,390 of its customers [2].
Regulatory Action
The Securities and Exchange Commission (SEC) has ordered Flagstar Bank to pay $3.5 million for allegedly misleading statements about a 2021 cyberattack [4]. The bank neither admitted nor denied the commission's allegations but agreed to the penalty and a cease-and-desist order barring it from making misleading statements in the future [4].
The SEC claims that Flagstar Bank made materially misleading statements about the cyberattack on its website and in financial filings [4]. In its 2021 Form 10-K filed March 1, 2022, Flagstar Bank did not disclose that it had already experienced a cyberattack that resulted in a customer data leak and interruptions to its mortgage origination business [5]. The bank failed to maintain disclosure controls and procedures that would have ensured the bank was ready with all relevant information to make required disclosures [5].
Implications
These breaches primarily compromised sensitive personal and financial data due to both direct network intrusions and vulnerabilities introduced via third-party service providers, such as those exploiting MOVEit Transfer software. The bank has responded by activating incident response measures but underscores the persistent risks in cybersecurity governance and third-party risk management in banking [1][3].
No direct financial loss figures or additional technical details on the Accellion or exact breach methodologies have been publicly disclosed for Flagstar beyond these points [1][3]. The MOVEIt breach affected more than 2,000 organizations in total [2].
[1] Source: [Link to the original source 1] [2] Source: [Link to the original source 2] [3] Source: [Link to the original source 3] [4] Source: [Link to the original source 4] [5] Source: [Link to the original source 5]
Despite multiple cyberattacks persistently targeting Flagstar Bank since 2021, exposeing the personal and financial data of millions, the bank failed to address concerns effectively, as evidenced by the SEC's order for them to pay $3.5 million for misleading statements about a cyberattack in 2021 [4]. Furthermore, the bank's inability to maintain disclosure controls and procedures led to the lack of appropriate information in their 2021 Form 10-K filing, further exacerbating the issue [5]. The recurring breaches highlight the importance of advanced technology and robust cybersecurity measures in safeguarding critical financial data.
