Ransomware Gang Fully Doxes Bank Employees in Extortion Attempt

Hackers posted the alleged names, social security numbers, and home addresses of several Flagstar Bank workers.
March 8, 2021, 4:41pm
social-security-numbers
Image: Douglas Sacha/Getty Images
Screen Shot 2021-02-24 at 3
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.

A ransomware gang posted the alleged social security numbers and home addresses of several employees of a Michigan bank in a brazen attempt to extort money from the bank by doxing its workers.

On Monday, the hacking group known as Cl0p published the data from Flagstar Bank on a dark web site, and emailed reporters to advertise the extortion attempt. The hackers said that they published the data hoping to convince the bank to pay them to stop leaking its internal data. 

Advertisement

"It often motivates to reconsider the decision," the hackers said in an email sent to Motherboard. "This is advertising for future customers =)" 

The site displayed a table that included the names, social security numbers, and home addresses of 18 alleged employees of Flagstar Bank. The hackers also posted other documents that include private personal information. 

"Want to delete a page or buy data? Write to the email indicated on the home page. We have a lot of private personal information including the SSN, addresses and phone numbers etc... of your clients and employees," the hackers wrote on the site. 

Screen Shot 2021-03-08 at 10.24.25 AM.png

A screenshot of the website where the hackers posted the hacked data. (Image: Motherboard/VICE)

On Monday, before the hackers publicized the stolen data, Flagstar Bank disclosed in a statement that it had been a victim of a data breach. The bank said that it was one of the victims of the hack against Accellion, a company that provides a file transfer app. The hack of Accellion has impacted dozens of companies, including the massive Jones Day law firm

"Accellion, a vendor that Flagstar uses for its file sharing platform, informed Flagstar on January 22, 2021, that the platform had a vulnerability that was exploited by an unauthorized party," the statement read. "Unfortunately, we have learned that the unauthorized party was able to access some of Flagstar’s information on the Accellion platform and that we are one of numerous Accellion clients who were impacted."

Advertisement

The hackers said that they were negotiating with the bank to get a payment that would have prevented the leak. A source familiar with the bank said that the negotiation was done in an attempt "to buy time essentially to continue to work through the investigation and do everything that they could to identify the impact consumer group and get a jump on trying to notify them and getting those notifications in the mail before the threat actor started leaking data."

The person confirmed that the data breach includes information about bank customers and employees.

Do you have information related to the Accellion breach or other data breaches? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzofb@vice.com

Over the last few weeks, the Cl0p gang has leaked data stolen from the Accellion hack, including that of a law firm that worked for the Trump campaign. The Accellion data breach hasn't received much attention, eclipsed by high-profile breaches due to the hack on SolarWinds and the more recent one on Microsoft Exchange servers. But the impact of the Accellion hack is considerable too, with victims ranging from Flagstar Bank, to Harvard Business School and New Zealand's central bank. 

A spokesperson for Flagstar Bank declined to answer questions on whether the hackers had access to employees' or customers' social security numbers, and referred back to the statement. 

Subscribe to our cybersecurity podcast CYBER, here.