Accellion hack ensnares Flagstar Bank, putting customer and employee data at risk

The bank said it first learned of the vulnerability on Jan. 22, while a ransomware gang doxed employees in an extortion attempt.

The Accellion hack has claimed another victim, this time a financial firm that boasts it’s the second-largest savings bank in the United States.

Michigan-based Flagstar Bank recently began notifying affected customers that on Jan. 22, Accellion, an IT provider, relayed that a vulnerability in its file sharing platform had affected Flagstar. The software flaw has led to breaches at firms around the world, with hackers exploiting the Accellion vulnerability to victimize grocery chain Kroger, cybersecurity company Qualys, the Reserve Bank of New Zealand, the state of Washington, prominent law firm Jones Day (which counts former President Donald Trump among its clients) and perhaps others.

“Unfortunately, we have learned that the unauthorized party was able to access some of Flagstar’s information on the Accellion platform and that we are one of numerous Accellion clients who were impacted,” Flagstar said in a notice on its website.

The Clop ransomware gang, alternately known as Cl0p, also has begun posting what it claims are the Social Security numbers and home addresses of Flagstar employees on a dark web leak site designed to extort the bank into paying up.


Flagstar Bank, which says it has $31 billion in assets, said it had hired Kroll to provide credit monitoring and ID theft services, among other precautions.

“We are working expeditiously with our internal and external teams to determine what data may have been accessed, and will notify any impacted customers directly after we complete a thorough, diligent review of the data,” the company’s statement said.

“Flagstar has been and remains fully operational, and other parts of our IT infrastructure outside of the Accellion platform were not impacted,” it added.

Still, some reported being upset at not getting notified earlier, given the Jan. 22 date in the statement.

A Flagstar spokesperson referred to the company’s statement on its website when reached for comment.

Latest Podcasts