Flagstar Bank uses a third-party vendor for payment processing and mobile application assistance called Fidelity Information Services (FIS). FIS recently made Flagstar aware of a data leak resulting from FIS’ file transfer manager, MOVEit. MOVEit data breaches have decimated the tech world over the last few weeks - FIS is the most recent to report.
The MOVEit breach occurred as a zero-day vulnerability where bad actors could access some client files. Flagstar was in the news last month following their Fiserv servicer, which suffered the same vulnerability. It is unknown if victims from both attacks overlap or relate apart from being Flagstar consumers.
The breach notification provided to the Maine Attorney General’s office suggests the attack happened between May 27th and May 31st. This timeline is before the public disclosure of the MOVEit vulnerability. Flagstar immediately started a review, which concluded around November 1st. They subsequently began notifying individuals.
The Maine filing suggests as many as 11,833 individuals may have had their information taken in the assault. Thus, out of caution, Flagstar members should consider defensive information services.
Although the notice suggests the investigations are complete, there is no public number associated with the impacted files. As a result, further reviews may boost the final number higher. Consumers don’t have to wait for a final report or a notice letter to start taking preventative action; the earlier consumers protect themselves, the more challenging the data is to misuse.