The Accellion incident that affected hundreds of FTA clients, including Bombardier, has just had another high-profile entity added to the list: the Michigan-based Flagstar Bank. The particular financial service provider is one of the largest residential mortgage providers and is among the top 100 banks (financial size) in the United States. Thus, this has the potential to impact a large number of Americans, which is why action to mitigate the involved risks is already being taken.
According to Flagstar’s announcement, Accellion informed them of the ongoing exploitation right after discovering it on January 22, 2021. The bank was using Accellion’s file sharing platform, inadvertently letting hackers access information on its systems.
Upon learning about the exploit, the bank discontinued the product's use and engaged a team of third-party forensic experts to investigate and determine the scope of the incident. Reportedly, that is why it took them a while to deliver this notice to the public.
Now, the company is sending individual notifications to the impacted clients and is informing the data protection offices in accordance with state and federal regulations. Moreover, the impacted customers will receive credit monitoring services for free, hopefully saving them from fraudsters, hackers, and impersonators. These services will be provided through Kroll and will last for 24 months, including identity theft restoration, credit monitoring, and fraud consultation. Instructions on how to register for these services should be enclosed in the individual notices.
Additionally, you are advised to review account statements regularly and inform the bank and/or the law enforcement if you see anything suspicious. Also, request copies of credit reports every 12 months to see if you can find any activity that you don’t recognize as your own. In extreme cases of precautionary action, you can place a security freeze on your credit file.
It is quite unfortunate that clients of Flagstar Bank were left as prey to fraudsters for a total of 1.5 months now, so if you have received any weird emails or phone calls during that time, try to recall what information you’ve given away to the actors. If it was passwords, usernames, PINs, SSNs, etc., go ahead and reset them as soon as possible. The bank should have moved quicker for sure, but in any case, it’s better late than never.