Fiserv attack exposes 837K Flagstar Bank clients


Flagstar Bank’s vendor, the financial technology giant Fiserv, has fallen victim to the MOVEit Transfer attacks, exposing the personal details of hundreds of thousands of the bank’s customers.

Another US-based company has entered the ever-growing list of MOVEit Transfer attacks carried out by the Russia-linked ransomware cartel Cl0p.

Flagstar contacted impacted individuals, saying that attackers have accessed their data via Fiserv, a company that the bank “uses for payment processing and mobile banking purposes.” Fiserv, like thousands of other companies, employed the MOVEit Transfer software.

ADVERTISEMENT

“[…] the unauthorized activity in the MOVEit Transfer environment occurred between May 27th and 31st, 2023, which was before the existence of this vulnerability was publicly disclosed. During that time, unauthorized actors obtained our vendor files transferred via MOVEit. These files included Flagstar Bank and related institution customer information, including yours,” reads the breach notification.

According to information that Flagstar Bank provided to the Maine Attorney General, 837,390 individuals were impacted by the attack. As a result of the attack, threat actors may have accessed customer Social Security numbers (SSNs).

Losing SSNs poses significant risks, as impersonators can use stolen data in tandem with names and details for identity theft.

To assist victims, Flagstar Bank will offer a complimentary identity monitoring service. Impacted individuals are also advised to remain vigilant and regularly review and monitor their credit history.

MOVEit Transfer attacks

Earlier this year, Cl0p exploited a now-patched zero-day bug in Progress Software’s MOVEit Transfer software, which allowed attackers to access and download the data stored there.

So far, over 2,100 organizations and over 62 million people are confirmed to have been impacted by the MOVEit Transfer attacks.

The Russia-linked gang Cl0p goes by a few different names. People in the cyber industry know the syndicate as TA505, Lace Tempest, Dungeon Spider, and FIN11. The gang is quite old, having been first observed back in 2019.

ADVERTISEMENT

Numerous well-known organizations have had their clients exposed in the MOVEit attacks. For example, Sony Interactive Entertainment (SIE), a Sony branch responsible for developing PlayStation consoles, said that thousands of its former employees had their data exposed.

Other named victims include American Airlines, TJX off-price department stores, TomTom, Pioneer Electronics, Autozone, Johns Hopkins University and Health System, Warner Bros Discovery, AMC Theatres, Choice Hotels’ Radisson Americas chain, and Crowe accounting advisory firm.