data breach

Flagstar Bank Reports Massive Data Breach 6 Months After the Fact

Flagstar breach impacts over 1.5 million people

On June 17, 2022, Flagstar Bank, FSB, based in Troy, Michigan, reported a data breach to the California Attorney General’s Office.

According to the company, between December 3-4, 2021, Flagstar experienced a “cyber incident” in which files containing personal information were accessed and taken from its network.

The sensitive personal information that may have been accessed or acquired includes individuals’ full names and Social Security numbers (SSNs).

Flagstar began notifying affected individuals six months after the breach occurred.

The full notice provided to the California Attorney General can be viewed here. The notice posted on Flagstar’s website can be viewed here.

Flagstar is offering affected individuals two-years of complimentary identity monitoring services through Kroll. The deadline for enrollment in Kroll services is listed in the Notice.

California laws protect your privacy

California has laws that specifically protect your personal information.

  • The California Customer Records Act(CCRA) requires businesses to put into place and maintain reasonable security procedures and practices to protect consumer’s personal information. Companies must also notify affected California consumers quickly and without unreasonable delay.
  • The California Consumer Privacy Act (CCPA) contains many protections for personal information of California residents, including the implementation and maintenance of reasonable security procedures.

If certain types of personal information, like Social Security numbers and names, are left unencrypted and are accessed, stolen, or hacked because a business didn’t fulfill its obligation to implement and maintain reasonable security, an affected California resident can sue to protect their rights under the CCPA and CCRA.

Participants in data breach lawsuits can recover damagesinjunctive relief (to make sure that the business has reasonable security practices to protect consumer data from being leaked again), and anything else the court concludes is necessary to compensate data breach victims and prevent these harms from reoccurring.

Electronic personal data doesn’t degrade

It is important to understand the benefits and limitations of any identity theft services. Not all credit monitoring and identity theft services offer the same protections nor cover the same length of time. Before signing up with any credit monitoring service, some useful questions to ask include:

  • Does this service offer dark web monitoring?
  • Does the service monitor all three major credit bureaus on my behalf? (for example, the Kroll service outlined in the Data Breach Notice offers Single Bureau Credit Monitoring)
  • Does the service come with insurance to cover any immediate financial losses I might have as a result of this data breach? What proof of loss do I have to show? How am I reimbursed?
  • What happens if I have financial losses after the service expires?
  • Does this service assist with fraudulently filed tax returns? Medical identity theft?
  • What exactly will the service do for me if my personal information is sold on the dark web?
  • Can the service stop fraudulent charges from being made on my credit cards? Will it reimburse me if fraudulent charges are made?

It is an unfortunate reality that cyber-crimes present an attractive target for hackers: Data can be bought and sold anonymously, and the going rate is under $20 per record, depending on the type of information according to Privacy Affairs Dark Web Index of 2021. Certain critical types of personal information – like Social Security numbers, names, and birth dates – are impossible or almost impossible to change.

Thieves may choose to wait years to capitalize on compromised personal data. The longer cyber thieves can go undetected, the more they stand to profit from their illegal activities.

A compromised SSN can be a complicated problem

  1. A hacker with your SSN can use it to get other personal information about you.
  2. Identity thieves can use your SSN and name to apply for credit under your name. When the new credit cards are used by the thieves and they don’t pay, it damages your credit. You may not become aware of the scam until creditors start contacting you for non-payment of the thief’s bills, or you are denied credit.
  3. Stolen SSNs can be used to fraudulently file taxes, apply for jobs, and receive other government benefits.

“Keep in mind that a new [SSN] probably won’t solve all your problems. This is because other governmental agencies (such as the IRS and state motor vehicle agencies) and private businesses (such as banks and credit reporting companies) will have records under your old number. Along with other personal information, credit reporting companies use the number to identify your credit record. So using a new number won’t guarantee you a fresh start. This is especially true if your other personal information, such as your name and address, remains the same.”

(Social Security Administration Publication No. 05-10064 July 2021.)

Once you know your personal data has been disclosed, it is reasonable to take action to avoid concerns that your data will be used to cause you significant financial losses.  Compromised data also increases the risk of hacking, phishing, and increased anxiety over future losses and identity theft.

Personal data is incredibly valuable, both to businesses and to criminals who want to sell that information on the dark web to identity thieves and other black marketeers. However, “it is clear that many organizations need to sharpen their security skills, trainings, practices, and procedures to properly protect consumers.”[1] The stakes are high: Data breach victims are more likely to also be victims of additional fraud.[2]


[1] Source: K. Harris, former Attorney General, California DOJ, California Data Breach Report 2012-2015 (2016).

[2] Same