Ransomwared Bank Tells Customers It Lost Their SSNs

A bank that was hacked by a ransomware gang has notified several customers that it lost their Social Security Numbers, home address, full name, phone number, and home address.

Flagstar, a bank based in Michigan, reached out to customers—and even people who never had an account with the bank or had one years ago—in the last few days with the bad news, according to several victims who spoke to Motherboard, as well several public tweets. In the emails and letters, Flagstar admits that hackers accessed SSNs, a detail the bank did not publicly admit two weeks ago, when it published a disclosure about the late January hack.

In other words, what was already a disastrous hack—given that the bank also lost its own employees' SSNs—just got much worse.  

"On March 6, 2021, we determined that one or more of the documents removed from the Accellion platform contained your Social Security Number, First Name, Last Name, Phone Number, Address," Flagstar wrote, according to pictures shared by multiple customers to Motherboard. "Out of an abundance of caution we have secured the services of Kroll to provide identity monitoring at no cost to you for two years."

A spokesperson for Flagstar confirmed that the bank lost customers’ social security numbers, did declined to say how many. 

The breach appears to have hit people who are not even Flagstar customers anymore. 

One of the victims of the hack, a woman who asked to remain anonymous, said she hasn't been a customer of Flagstar in a decade. 

"I'm pissed," the woman told Motherboard in an online chat. "There's no reason they should have kept my personal information over a decade after I closed out an account. Now the 'Identity Monitoring Service' they sent me to has borked up my information as well. So I can't verify my identity via their inaccurate questions and I now have to wait 3 more days to 'try again' with no recourse."

"Now I have to weigh giving these people (who are so incompetent they can't verify my identity) personal information after A BANK proved it can't keep my information safe. There are no good solutions here," she added. 

In regards to this woman’s case, the Flagstar bank spokesperson said: “We cannot discuss the details of a specific consumer’s account or when it was closed. In some cases, Flagstar may be required to retain certain data after an account is closed.”

Gregory Austin, another victim of the breach, said he has never been a Flagstar customer and still got his SSN hacked. Austin said that a bank that he chose to get a mortgage sold it to Flagstar without his consent in 2019. 

"[I'm] obviously not happy. I never chose to do business with Flagstar. My mortgage was purchased and I refinanced as fast as I could to my personal bank. I hate that a company can just give my information to another company without my input," Austin told Motherboard in an online chat. 

A hacking group that calls itself Cl0p attempted to extort Flagstar holding the company's stolen data to ransom. Flagstar was one of several companies whose data got hacked as part of the data breach against Accellion, a company that provides a file transfer application to other companies. Earlier this year, the hackers broke into the servers of Accellion and began extorting its customers, including a law firm that worked for the Trump campaign. 

Subscribe to our cybersecurity podcast CYBER, here.