Bank loses customers’ social security numbers after ransomware attack

  • Clop ransomware gang exploited Accellion flaws to steal data
  • Customers angry that their details were breached, even after closing their accounts long ago.

Things don’t get much worse than having to admit to your employees that a gang of cybercriminals have broken into your infrastructure, stolen the private details (social security numbers, names and home addresses) of your staff, and are demanding that your company pays a ransom before further sensitive data is leaked.

Well, actually they do.

Because what if two weeks later the hacked bank (did I mention it was in the top 75 list of largest banks in the United States?) reveals that the cybercriminals have also managed to exfiltrate sensitive data related to your multiple customers?

As Vice reports, the attack by the Clop ransomware gang against the Flagstar Bank, headquartered in Michigan, became public knowledge earlier this month, after the bank published a statement on its website explaining that it was one of many corporations impacted by a breach related to using Accellion’s ageing FTA file-sharing appliance.

Flagstar Bank’s public acknowledgment of the breach may have spurred the hackers to up the ante, posting details on their website and contacting journalists in an attempt to apply pressure on their victim to pay up.

The names of 18 Flagstar Bank employees were made available on the website, alongside their alleged social security numbers, home addresses, and other personal private information.

However, things became even more serious when it became apparent that the hackers were contacting the bank’s customers, informing them of the breach.

This appears to have spurred Flagstar Bank into contacting affected customers to admit that their Social Security Numbers, home addresses, full names, phone numbers, and home addresses had also fallen into the hands of cybercriminals.

Affected members of the public were understandably less than happy.

As some affected individuals pointed out, they were not even current customers of the bank.

One woman told Vice that her personal information had been leaked even though she had closed her account more than a decade ago.

The Clop ransomware gang has been exploiting vulnerabilities in the Accellion FTA platform to steal hosted files from a wide array of organisations in recent months – with corporate victims including oil giant Shell, Qualys, NSW Transport Agency, aerospace firms, law firms, and advertising agencies.

Earlier this month, Accellion published a third-party security assessment of its FTA platform, detailing the zero-day vulnerabilities that had been found (and since patched), and describing the attacks as “[demonstrating] a high level of sophistication and deep familiarity with the inner workings of the Accellion FTA software, likely obtained through extensive reverse engineering of the software.”

In the case of Flagstar Bank, it is offering impacted individuals two-years worth of free credit monitoring and identity protection services, and warning customers to be wary of communications which may be sent to them by the criminals.

Of course, signing up with an identity protection service does mean sharing personal information with yet another online service – something you might feel shy about doing in the immediate aftermath of a data breach like this.

Affected bank customers might also be wise to keep a close eye on their account statements for suspicious activity.