Summary: Flagstar Bank has been fined $3.5 million by the SEC for making misleading statements regarding a cyberattack in 2021 that compromised the personal information of 1.5 million customers. The bank’s failure to disclose the full impact of the breach led to allegations of negligence in its communications.
Threat Actor: Unknown hacker | unknown hacker
Victim: Flagstar Bank | Flagstar Bank
Key Point :
- Flagstar Bank’s misleading statements included failure to disclose a significant data breach in its 2021 Form 10-K filing.
- The SEC found that the bank did not maintain adequate disclosure controls and procedures.
- This incident marks Flagstar’s second cyberattack in 2021, following a breach related to Accellion’s software vulnerabilities.
- In 2023, Flagstar was also affected by the MOVEIt file transfer system breach, impacting over 837,000 customers.
Flagstar Bank must pay $3.5 million to the Securities and Exchange Commission for making allegedly misleading statements about a 2021 cyberattack, the agency said this week.
After a hacker gained access to Flagstar’s Citrix environment in late 2021 and stole personally identifiable information of 1.5 million customers, Flagstar “negligently made” materially misleading statements on its website and in financial filings, according to the SEC.
In its 2021 Form 10-K filed March 1, 2022, Flagstar said cyberattacks “may interrupt our business or compromise the sensitive data of our customers,” but the bank did not disclose that it had already experienced such attacks that resulted in a customer data leak and interruptions to its mortgage origination business, according to the SEC order.
The commission also found that in a June 17, 2022, notice to customers and an August 9, 2022, securities filing, the bank made misleading statements regarding the scope of the Citrix breach.
Flagstar also failed to maintain disclosure controls and procedures that would have ensured the bank was ready with all relevant information to make required disclosures.
Flagstar neither admitted nor denied the commission’s allegations, but it consented to the $3.5 million penalty and a cease-and-desist order barring it from making misleading statements in the future.
“We are pleased to have resolved the SEC matter. We remain committed to our compliance and regulatory obligations,” a Flagstar spokesperson said in an emailed statement.
The cyberattack was the bank’s second of 2021, after bad actors took advantage of a flaw in Accellion’s File Transfer Appliance software, which Flagstar was using to protect sensitive information.
Flagstar also fell victim to the 2023 breach of file transfer system MOVEIt, which affected about 837,390 Flagstar customers and more than 2,000 organizations.
Source: https://www.cybersecuritydive.com/news/flagstar-sec-fine-cyberattack/736070