Industry News

Bank loses customers’ social security numbers after ransomware attack

Bank loses customers' social security numbers after ransomware attack
  • Clop ransomware gang exploited Accellion flaws to steal data
  • Customers angry that their details were breached, even after closing their accounts long ago.

Things don’t get much worse than having to admit to your employees that a gang of cybercriminals have broken into your infrastructure, stolen the private details (social security numbers, names and home addresses) of your staff, and are demanding that your company pays a ransom before further sensitive data is leaked.

Well, actually they do.

Because what if two weeks later the hacked bank (did I mention it was in the top 75 list of largest banks in the United States?) reveals that the cybercriminals have also managed to exfiltrate sensitive data related to your multiple customers?

As Vice reports, the attack by the Clop ransomware gang against the Flagstar Bank, headquartered in Michigan, became public knowledge earlier this month, after the bank published a statement on its website explaining that it was one of many corporations impacted by a breach related to using Accellion’s ageing FTA file-sharing appliance.

Flagstar Bank’s public acknowledgment of the breach may have spurred the hackers to up the ante, posting details on their website and contacting journalists in an attempt to apply pressure on their victim to pay up.

The names of 18 Flagstar Bank employees were made available on the website, alongside their alleged social security numbers, home addresses, and other personal private information.

However, things became even more serious when it became apparent that the hackers were contacting the bank’s customers, informing them of the breach.

This appears to have spurred Flagstar Bank into contacting affected customers to admit that their Social Security Numbers, home addresses, full names, phone numbers, and home addresses had also fallen into the hands of cybercriminals.

Affected members of the public were understandably less than happy.

As some affected individuals pointed out, they were not even current customers of the bank.

One woman told Vice that her personal information had been leaked even though she had closed her account more than a decade ago.

The Clop ransomware gang has been exploiting vulnerabilities in the Accellion FTA platform to steal hosted files from a wide array of organisations in recent months – with corporate victims including oil giant Shell, Qualys, NSW Transport Agency, aerospace firms, law firms, and advertising agencies.

Earlier this month, Accellion published a third-party security assessment of its FTA platform, detailing the zero-day vulnerabilities that had been found (and since patched), and describing the attacks as “[demonstrating] a high level of sophistication and deep familiarity with the inner workings of the Accellion FTA software, likely obtained through extensive reverse engineering of the software.”

In the case of Flagstar Bank, it is offering impacted individuals two-years worth of free credit monitoring and identity protection services, and warning customers to be wary of communications which may be sent to them by the criminals.

Of course, signing up with an identity protection service does mean sharing personal information with yet another online service – something you might feel shy about doing in the immediate aftermath of a data breach like this.

Affected bank customers might also be wise to keep a close eye on their account statements for suspicious activity.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.