fbpx

Flagstar Bank Inadequate Security Measures Class Action

Banks and businesses have an obligation to safeguard the personally identifiable information (PII) entrusted to them by their customers. The complaint for this class action alleges that Flagstar Bank, FSB failed in this duty, because it entrusted PII to a vendor who later experienced a data breach.

The Nationwide Class for this action is all individuals whose personally identifiable information was entrusted to Flagstar and was compromised in the December 2020 data breach. A New Jersey Subclass has also been defined for New Jersey residents in the Nationwide Class.

Flagstar Bank is not a small institution. It is said to have assets of $31 billion, to be the sixth largest bank mortgage originator and second largest savings bank in the country, and to have 150 branches in Michigan, Indiana, California, Wisconsin, and Ohio. It not only offers mortgages, it also performs mortgage servicing and subservicing for other entities. Flagstar uses Accellion as a vendor for certain functions.

Accellion was using an outdated File Transfer Appliance (FTA) to transfer information on former and current employees and customers. The FTA used CentOS software, which CentOS announced it would not be supporting after November 30, 2020. The complaint believes that the “support” withdrawn at that time included “vulnerability testing and patching.”

Sometime around January 22, 2021, Accellion experienced a data breach, involving what the complaint calls an “unauthorized actor” breaching its file sharing platform.

According to the complaint, Flagstar knew that Accellion’s security was insufficient to protect its data. “In fact,” it alleges, “prior to the breach, Accellion encouraged its customers to move to a newer and more secure platform.”

Sometime around March 6, 2021, the complaint claims, Flagstar learned that the unauthorized actor had gained access to documents containing the names, Social Security numbers, dates of birth, financial account numbers, and other PII of Flagstar customers.

The complaint alleges that Flagstar failed to take adequate measures to safeguard the data it had on file. The complaint claims, “Flagstar is responsible for allowing this data breach through its failure to implement and maintain reasonable safeguards and its failure to comply with industry-standard data security practices.” It claims Flagstar “failed to utilize a competent third-party data transfer company when handling and/or transferring sensitive PII and … chose to use an outdated and insecure transfer platform.”

According to the complaint, the exposure of data was “particularly egregious” in light of the all-too-frequent security breaches, including in the area of financial services. The loss of data now exposes customers to fraud and identity theft.

The complaint makes another claim: “In addition, based on [Flagstar’s] actions, [employees and customers] have received services that were and are inferior to those for which they have contracted, and have not been provided the protection and security Flagstar promised when [they] entrusted Flagstar with their PII.”

Article Type: Lawsuit
Topic: Privacy

Most Recent Case Event

Flagstar Bank Inadequate Security Measures Complaint

March 26, 2021

Banks and businesses have an obligation to safeguard the personally identifiable information (PII) entrusted to them by their customers. The complaint for this class action alleges that Flagstar Bank, FSB failed in this duty, because it entrusted PII to a vendor who later experienced a data breach.

Flagstar Bank Inadequate Security Measures Complaint

Case Event History

Flagstar Bank Inadequate Security Measures Complaint

March 26, 2021

Banks and businesses have an obligation to safeguard the personally identifiable information (PII) entrusted to them by their customers. The complaint for this class action alleges that Flagstar Bank, FSB failed in this duty, because it entrusted PII to a vendor who later experienced a data breach.

Flagstar Bank Inadequate Security Measures Complaint
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy