Sign in / up

back to article Info on 1.5m people stolen from US bank in cyberattack

A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December. In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. VoiceOfTruth Silver badge

    -> The bank has offered affected customers identity theft protection services

    We keep hearing about this. Is it actually any good? I would like to hear from somebody with experience of it, or rather a Reg write up.

    -> We take the security of our network and the personal information entrusted to us with the utmost seriousness

    We keep hearing this canned response too. Maybe their staff are just not up to it.

    8 1 Reply
    1. Doctor Syntax Silver badge
      Reply Icon

      "We keep hearing this canned response too. Maybe their staff are just not up to it."

      And somehow we never hear them explain why they didn't live up to it. Personally I'd like the media to get together and refuse to report such statements unless they're prepared to answer questions on those lines.

      5 0 Reply
      1. ShadowSystems
        Reply Icon

        At Doctor Syntax...

        I'd rather the media simply break out the ShockySticks(TM) & start zapping any idiot that even hints at such obvious BS phrases. "No you don't, otherwise this shitshow never would have gotten to where it is now."

        Maybe issue fully charged, full auto, Tasers with super charged battery packs to anyone in the back rows -- anyone not close enough to make use of the ShockyStick(TM) & needs a ranged weapon -- so they can stand up, form a firing squad, & zap the idiots from afar. "If I hear 'we take' one more time, I'll swap dead battery packs & KEEP GOING until you're a smoking, twitching lump!"

        *Deep sigh*

        Damn my fantasies of righteous retribution... =-J

        6 0 Reply
        1. Pascal Monett Silver badge
          Reply Icon
          Thumb Up

          We are of the same mind.

          0 0 Reply
      2. VoiceOfTruth Silver badge
        Reply Icon

        -> Personally I'd like the media to get together and refuse to report such statements unless they're prepared to answer questions on those lines.

        Yes! It's the difference between journalism and repeating a press release.

        2 2 Reply
    2. Michael Wojcik Silver badge
      Reply Icon

      We've received free "identity theft protection" dozens of times, thanks to the regular parade of breaches. It's never notified us of anything. On the other hand, we've never discovered evidence of successful identity theft – just the occasional compromised debit or credit card details (which has been a widespread problem in the US thanks to foot-dragging on adopting EMV).

      Usually what it means is we can expect a flurry of offers to start paying for the "service" in a few months.

      0 0 Reply
  2. hayzoos

    Identity theft protection services

    In my personal experience, it is not worth what it is claimed to be. I have sfused to sign igned up whenever it is offered as an insurance, provided they are not asking for too much information. If I detect identity theft, I can execute a claim.

    I have refused to sign up at a number of them. Reasons? http rather than https form, asking for far more information than needed to monitor for the data purloined, general sense of poor implementation, etc. Ones I have signed up with? ones that make additional monitored info optional, https obviously required minimally, one implemented real non-SMS 2-factor options.

    I am a "victim" of the 2014-2015 OPM data breach(es). The true answers to most of the "secret" questions as secondary authentication are part of that data breach. I do not provide real answers for secondary authentication. And no two sites have the same answers from me for the same question. I have provided myself with more security than the "protection services" offered for this breach and all others. On the off chance they detect fraud I will benefit though at no cost to me.

    I absolutely refuse to provide more info to these monitoring services than what is required or was in the original breach. These service are the next prime target for data thiefs.

    rating: one star out of five

    12 0 Reply
    1. Doctor Syntax Silver badge
      Reply Icon

      Re: Identity theft protection services

      The examples which have been mentioned in the past are the usual data slurpers such as credit reference agencies. Did they ask for your inside leg measurement?

      2 0 Reply
      1. hayzoos
        Reply Icon

        Re: Identity theft protection services

        I would not at all be surprised if data slurpers old or new already have my inside leg measurement.

        1 0 Reply
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: Identity theft protection services

          Last year my mum told me that my inside leg measurement was stolen when I was ten, but luckily I had updated it 20 years ago when I left college.

          1 0 Reply
    2. Anonymous Coward
      Reply Icon
      Happy

      Re: Identity theft protection services

      I was also a victim of the OPM breach and the Yahoo! breach and I signed up for both of the services.

      I appreciate them. The user-id/password scans are no big deal. The phone number and e-mail scans are okay but replicable. But scanning for my SSN, drivers license, bank accounts, and credit cards on the dark web is not something I could easily do. I've never used the ID restoration service, so I can't speak to that but otherwise I'd give them

      rating five stars out of five

      Also, anyone who hasn't put a credit freeze with each of the big three credit reporting agencies (Equifax, Experian, TransUnion) should.

      1 0 Reply
      1. Michael Wojcik Silver badge
        Reply Icon

        Re: Identity theft protection services

        Also, anyone who hasn't put a credit freeze with each of the big three credit reporting agencies (Equifax, Experian, TransUnion) should.

        Anyone in the US, anyway. By law, freezing at the big three is now free. Just do it. Do it for your underage children, too; if they have SSNs, they're vulnerable.

        And then freeze at as many of the smaller agencies as you can. There are dozens of them, so good luck. Innovis and Chex are a good place to start. Here's one article which lists some of them. I've only skimmed it so I can't vouch for its quality.

        0 0 Reply
    3. _gh_
      Reply Icon

      Re: Identity theft protection services

      When the offered "protection" is one of the credit bureaus I sign up for it because they already have all the headline data. That said I've never received any notification about "the dark web" from them. And of course not exactly top performers on the data protection front.

      The service offered by my bank turned out to really be a marketing rather than security tool, by a marketing company - they wanted to install an extension to "verify" all web-sites (the Ts&Cs allowed them to profile and market the data). I never installed it.

      The only dark web data that they provided were alerts based on Troy Hunt's HaveIBeenPwned site and even then the alerts were weeks behind the alerts from Troy.

      0 0 Reply
    4. VoiceOfTruth Silver badge
      Reply Icon

      Re: Identity theft protection services

      -> The true answers to most of the "secret" questions as secondary authentication are part of that data breach. I do not provide real answers for secondary authentication.

      You make an excellent point.

      -> These service are the next prime target for data thiefs.

      And another! It's OK, they are protected by SolarWinds.

      1 1 Reply
    5. DS999 Silver badge
      Reply Icon

      I'll bet it increases your chance of identity theft

      It is just one more place that will have your personal information in a database waiting for a weakness to be exploited by some hacker or insider.

      I've never once signed up for this "service" when I've been notified I was part of a "breach". So far I haven't ever had any real consequences like someone trying to get a credit card in my name or whatever.

      0 0 Reply
  3. Pascal Monett Silver badge
    Headmaster

    "it was compromised between December and April 2021"

    Confusing.

    April comes after December, and typically in the year that follows.

    So it was December 2020 and April 2021.

    Just to be clear.

    4 0 Reply
    1. Michael Wojcik Silver badge
      Reply Icon

      Re: "it was compromised between December and April 2021"

      It was actually some time between December 1970 and April 2021. Maybe multiple times. Maybe after April too.

      1 0 Reply
  4. lglethal Silver badge
    Go

    I'm probably cynical..

    .. But I'd bet a substantial sum that this is the same scrotes who were responsible for the last intrusion (operating under another name of course).

    Once you are in once, it's very easy to install a couple of other backdoors to let you back in later.

    All the more reason, not to pay those ransoms folks...

    0 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: I'm probably cynical..

      Could be, but given Flagstar's record, it could just as easily have been any one of thousands of other threat actors.

      I'm a Flagstar customer – they hold one of my mortgages. They send me at least one solicitation for refinancing or an equity loan a week. Not going to happen, kids. As it is, I'd be tempted to move that mortgage if I wasn't in the middle of financing something else at the moment.

      0 0 Reply
  5. Neil Barnes Silver badge
    Holmes

    We have no evidence that any of the information has been misused

    Well obviously the miscreants were white hats on a mission to demonstrate how bad the security was. They're not going to actually use the exfiltrated data for any naughty purposes.

    Right?

    4 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: We have no evidence that any of the information has been misused

      This is Flagstar. They have no evidence that can distinguish their ass from their elbow.

      1 0 Reply
  6. Anonymous Coward
    Anonymous Coward

    Yes.....I know that Michigan isn't in the EU......

    ....but this is the sort of news which make me think (again) that.....

    .......GDPR is (still) a joke.

    0 3 Reply
  7. mIVQU#~(p,

    Seems a bit odd.

    “ Plus, Flagstar agreed to monitor the dark web for any indications of people's personal data being sold, or other fraudulent activity related to the security breach.”

    Seems a bit odd and adhoc / without method for the banks security team to be monitoring dark web forums.

    0 0 Reply
    1. Frank Bitterlich
      Reply Icon

      Re: Seems a bit odd.

      Thought that too. Are they going to buy every batch of CCNs and SSNs now that are posted on any of these markets from now on, to "monitor" them? Or are they just waiting until any of the suppliers there are stupid enough to mention the source they got the data from? Or are they just repeatedly entering "Flagstar" into Google?

      0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like