Flagstar Bank 2021 Data Breach Class Action

This class action alleges that Flagstar Bank, FSB failed to protect the personally identifying information (PII) it held in its systems, resulting in a cyberattack in December 2021. Flagstar is a major mortgage originator, based in Michigan, and also services mortgage loans. The complaint quotes Flagstar as saying that it “believe[s] that banking with us will always be private, personal, and secure.” The complaint then comments, “This isn’t the case.”

The class for this action is all individuals and entities in the US whose personal identifying information was accessed in the data breach announced by Flagstar ono or around June 17, 2022.

The data breach took place between December 3 and 4, 2021, affecting some 1.5 million people, and the complaint alleges that the PII stolen included names and Social Security numbers. According to the complaint, Flagstar claimed to have discovered the breach on June 2, 2022 and sent out written notifications to the individual victims on June 17, 2022.

“However,” the complaint alleges, “Flagstar informed multiple media outlets that it had learned of the breach in December 2021. If this is so, Flagstar delayed informing the victims for a significant period of time.

Flagstar’s Privacy Statement, as quoted in the complaint, includes the usual promises: “Flagstar is committed to maintaining the security of the data you provide us. We use security controls that comply with applicable federal laws to protect against unauthorized access and use of your Personal Information in our custody or control.”

However, as quoted by the complaint, it then becomes oddly fatalistic about the risks customers take when storing information with it: “Flagstar cannot promise, and you should not expect, that we will be able to protect your Personal Information at all times and in all circumstances. Flagstar cannot guarantee the security and privacy of transmissions via the Internet, and we will not be liable for any lack of security relating to the use of the Banking Services by you. You agree that you will not hold Flagstar liable for any damages resulting from any loss of privacy and security occurring in connection with any such communications.”

It advises its customers to “[t]ake the proper steps to protect yourself from potentially damaging [cyberattacks].”

Perhaps Flagstar takes this view because this was not the first time it experienced a hack. The complaint alleges, “Less than a year earlier, in January 2021, hackers gained unauthorized access to Flagstar customer names, Social Security numbers, and home addresses through a breach of third-party vendor Accellion’s computer systems.”

According to the complaint, this previous incident put Flagstar on notice that its systems could be targeted by cybercriminals. “Despite this knowledge,” the complaint alleges, “Flagstar failed to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect its customers’ personal information.”

Article Type: Lawsuit
Topic: Privacy
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy