Hackers stole the personal information of 1,547,169 clients of Michigan-based Flagstar Bank in December, according to a document sent by the financial institution to the Office of the Maine Attorney General.
The cyberattack occurred on Dec. 3 and Dec. 4, 2021, but the company determined the individuals affected on June 2, 2022, the document shows. The external data breach resulted in hackers accessing customers’ social security numbers.
“For those impacted, we have no evidence that any of their information has been misused,” Flagstar’s spokesperson Susan Bergesen said in an email. “Nevertheless, out of an abundance of caution, we are offering complimentary credit monitoring services.”
Flagstar Bank said they activated a response plan, engaging some external cybersecurity professionals experienced in handling these incidents, and reported the matter to federal law enforcement.
The company is notifying individuals who may have been impacted directly via U.S. mail.
The data breach happened amid the acquisition of Flagstar. In April 2021, New York Community Bank, one of New York City’s largest multifamily lenders, announced the acquisition of Flagstar Bancorp, the parent company of Flagstar Bank, in an all-stock merger valued at $2.6 billion.
After one year, in April 2022, the banks announced they mutually extended their merger agreement to Oct. 31, 2022, to provide that the combined company will operate under a national bank charter.
Under the new agreement, the merger needs the approval of the Federal Reserve Board and the Office of the Comptroller of the Currency (OCC).
New York Community Bank essentially exited the residential mortgage banking business in 2017 after selling its origination and servicing platforms. With Flagstar, it is entering a shrinking mortgage market.
Flagstar Bancorp has reduced its mortgage staff by 20% this year, laying off 420 employees amid a significant drop in origination volume and margins.
The bank’s net income in the first quarter of 2022 dropped 60.4% from the prior quarter to $53 million. Mortgage revenue decreased $36 million in the same period to $74 million from January to March.
Clarification: An earlier version of this story mischaracterized when Flagstar became aware of the breach. It was discovered in December, after which an internal investigation was launched. Six months later, in June, the investigation determined the names of the affected individuals, at which time the company communicated the breach to those parties.