Financial institution Flagstar Banks penalized $3.5 million due to deceptive practices following a significant cyberattack in 2021
Flagstar Bank Faces SEC Penalty over Cybersecurity Disclosures
Flagstar Bank, a US-based financial institution, has been ordered by the Securities and Exchange Commission (SEC) to pay a $3.5 million penalty for allegedly misleading statements about a 2021 cyberattack. The bank neither admitted nor denied the commission's allegations but agreed to the penalty and a cease-and-desist order barring it from making misleading statements in the future.
The SEC matter did not directly address the Accellion or MOVEIt cyberattacks specifically, which have also affected Flagstar. However, the bank's statements about these breaches have faced scrutiny, with some reports indicating potential misleading or incomplete information about their scope and impact.
In the 2021 cyberattack, a hacker gained access to Flagstar's Citrix environment, resulting in the theft of personally identifying information of 1.5 million customers. The bank made materially misleading statements on its website and in financial filings about the cyberattack, according to the SEC.
The SEC found that Flagstar made misleading statements regarding the scope of the Citrix breach in a June 17, 2022, notice to customers and an August 9, 2022, securities filing. In its 2021 Form 10-K filed March 1, 2022, Flagstar did not disclose that it had already experienced a cyberattack that resulted in a customer data leak and interruptions to its mortgage origination business.
The resolution of the SEC matter includes the $3.5 million penalty and a cease-and-desist order barring Flagstar from making misleading statements in the future. The bank's spokesperson stated that it remains committed to compliance and regulatory obligations.
In addition to the SEC matter, Flagstar has also been a victim of other cyberattacks since 2021. The bank was affected by the 2023 breach of file transfer system MOVEIt, impacting about 837,390 customers and over 2,000 organizations. This breach involved the exploitation of zero-day vulnerabilities in MOVEIt Transfer software.
Flagstar did not purchase licensing rights to protect against the vulnerabilities in Accellion's File Transfer Appliance software, which was exploited in a second cyberattack in 2021. The Accellion breach relates to an earlier vulnerable file transfer product similarly exploited in a wide chain of attacks with significant data exposure and regulatory fallout.
Regulators have since intensified enforcement and guidance focused on third-party risk management and timely breach disclosure. The MOVEit breaches in 2023–2024 affected financial institutions including Flagstar and Deutsche Bank, triggering regulatory actions emphasizing third-party cybersecurity controls and incident disclosure.
Despite these challenges, Flagstar Bank remains committed to ensuring the security of its customers' data and complying with regulatory requirements. The bank continues to work closely with regulatory bodies to address any issues and improve its cybersecurity practices.
Technology played a significant role in the series of cyberattacks experienced by Flagstar Bank. The bank inadvertently exposed its customers' data due to lack of protection against vulnerabilities in Accellion's File Transfer Appliance software and MOVEIt Transfer software, which were exploited in separate incidents.
