Flagstar to pay $3.5M for misleading about 2021 cyberattack

Flagstar Bancorp will pay a penalty of $3.5 million in compliance with a consent order with the Securities and Exchange Commission (SEC) over what the commission found were misleading statements by the bank regarding a cyberattack the bank suffered in late 2021. That cyberattack was the second Flagstar had suffered that year; it suffered a third two years later.

The SEC said in a filing on Monday that a threat actor in the late 2021 cyberattack gained unauthorized access to Flagstar's Citrix environment, allowing them to use Flagstar applications and remote desktops, steal credentials, then deploy ransomware that encrypted approximately 30% of Flagstar's workstations and servers. The threat actor also stole data during the attack, including personally identifying information (PII) of 1.5 million customers.

The SEC said Flagstar "negligently made materially misleading statements" regarding the breach in financial filings and public claims on its website. According to the order, Flagstar consented to paying the penalty of $3.5 million and a cease and desist order that bars the bank from any future violations regarding misleading claims. The bank neither admitted to nor denied the SEC's claims, according to the order.

In response to a request for comment, a Flagstar spokesperson said the bank was "pleased to have resolved the SEC matter" and that the bank remains "committed to our compliance and regulatory obligations."

Flagstar said in an annual report published March 2022 that cyberattacks "may interrupt our business or compromise the sensitive data of our customers." The bank had listed this possibility as a risk factor, just as other banks do in their own annual reports. But according to the SEC's order, Flagstar did not disclose in the report that it had indeed experienced such cybersecurity attacks already — something it knew at the time.

The SEC's order also said that, in a June 2022 notice to customers posted on its website and an annual filing in August 2022, Flagstar represented that it had suffered unauthorized "access" to its network and customer data. The bank knew at the time that the cyberattack involved more than just access, according to the SEC; it knew that the threat actor had disrupted the bank's systems and stolen customer PII.

The Citrix breach lasted for nearly a month, according to the SEC's order; the threat actor, which the order did not name, attacked Flagstar from November 22, 2021 until December 25, 2021. The attack disrupted Flagstar's mortgage business, impacting its ability to originate, service and close loans. It also intermittently impacted access to Flagstar's website, certain mobile applications and Flagstar's customer call center.

Data breaches

Flagstar latest of 60 banks affected by MoveIt breaches

October 18, 2023 3:38 PM

In early December 2021, Flagstar assembled a crisis management team and engaged third-party experts to assist with an investigation of the breach. Later that month, the threat actor contacted Flagstar and demanded ransom payment. The bank then paid the threat actor $1 million in Bitcoin in exchange for the criminals' promise that they would delete the data they had stolen.

By March 2022, Flagstar understood that the stolen data included customer PII, according to the SEC. In early June 2022, Flagstar determined that the number of individuals whose PII the threat actor stole was approximately 1.5 million — roughly a quarter of the bank's active customers across different segments, according to the SEC.

Earlier in 2021, Flagstar suffered a breach that exploited a flaw in file transfer software made by Accellion. Then, in May 2023, it suffered a third data breach in three years. In all three breaches, the threat actors stole customer PII.