This class action brings suit against Flagstar Bankcorp, Inc. and Flagstar Bank, FSB alleging they bear responsibility for the data breach that occurred in the bank’s systems in December 2021. The complaint claimed Flagstar did not implement and maintain security practices adequate to protect the personally identifiable information (PII) it kept in its files.
The class for this action is all California residents to whom Flagstar or its agents sent a Notice of Data Breach letter telling them that their PII was compromised in the data breach.
The data breach took place between December 3 and 4, 2021, but the complaint alleges that Flagstar did not discover it until on or about June 2, 2022 and did not send out notice to the victims until on or about June 16, 2022. The files accessed in the incident contained names, addresses, dates of birth, Social Security numbers, and account or loan numbers, the complaint alleges, and suggests that 1.5 million customers were affected.
The notice did not specify who committed the data breach, how this party gained access to Flagstar’s system, or why it took Flagstar six months to become aware of it, so that the complaint claims the notice was “inadequate and fail[ed] to provide sufficient detail.” However, the complaint blames the data breach on “Flagstar’s inadequate cybersecurity[.]”
Data breaches are harmful to consumers, the complaint alleges, as cybercriminals use stolen information to commit crimes such as credit card fraud, phone or utilities fraud, and bank or financial fraud. Stolen data may be held for a year before it is used, and the complaint cites the LinkedIn data breach, in which information was held for four years before it was used.
The California Consumer Privacy Act (CCPA) gives Californians certain rights with respect to their personal information, including “requesting disclosure of the information collected, the purpose for collecting the information, and any third parties [to] whom the information is sold or disclosed.” The complaint alleges that Flagstar’s Privacy Policy also identify other rights under the CCPA, including “requesting deletion of information, opting out of hav[ing] personal information sold to third parties, and receiving information that identifies any third party that has received personal information.”
The complaint alleges that Flagstar knew or should have known that it was at high risk of a data breach, and should have been on high alert against a cyberattack, because the information it stores is valuable to identity thieves. The complaint asserts, “Flagstar negligently left its computer systems open to attack.”
Article Type: LawsuitTopic: Privacy
Most Recent Case Event
Flagstar Bank Data Breach Not Discovered for Six Months Complaint
January 26, 2023
This class action brings suit against Flagstar Bankcorp, Inc. and Flagstar Bank, FSB alleging they bear responsibility for the data breach that occurred in the bank’s systems in December 2021. The complaint claimed Flagstar did not implement and maintain security practices adequate to protect the personally identifiable information (PII) it kept in its files.
Flagstar Bank Data Breach Not Discovered for Six Months First Amended ComplaintCase Event History
Flagstar Bank Data Breach Not Discovered for Six Months Complaint
January 26, 2023
This class action brings suit against Flagstar Bankcorp, Inc. and Flagstar Bank, FSB alleging they bear responsibility for the data breach that occurred in the bank’s systems in December 2021. The complaint claimed Flagstar did not implement and maintain security practices adequate to protect the personally identifiable information (PII) it kept in its files.
Flagstar Bank Data Breach Not Discovered for Six Months First Amended Complaint