Flagstar latest of 60 banks affected by MoveIt breaches

The fallout from a security vulnerability in commonly used file transfer software continues for the financial industry. Since July, an additional 35 banks have reported breaches of customers’ personal data stemming from the vulnerability, bringing the total number of affected banks to 60.

The latest example is Fiserv and Flagstar Bank, which together suffered one of the largest data breaches stemming from the vulnerability. The bank notified 837,390 customers this month that a breach at Fiserv, which the bank uses for payment processing and mobile banking, had compromised their data. It was the smallest of the three breaches the bank’s customers had suffered in the past three years.

In May, ransomware group Cl0p began exploiting a since-patched vulnerability in file-transfer software MoveIt to steal data from thousands of organizations, according to cybersecurity firm Emsisoft. As of Wednesday, Emsisoft had tallied 66,148,393 individuals whose data had been compromised by the vulnerability. The tally is derived from public disclosures, such as in state breach notifications and SEC filings, but also includes claims of breaches made on Cl0p’s victim-shaming website.

Some of the banks that have newly reported that their data had been compromised did not even use MoveIt software directly. Rather, they had their data stolen because of a breach at a third-party provider using MoveIt.

For example, compliance tech company Sovos has reported to the state attorneys general of Maine and California that it is sending data breach notifications to customers at multiple companies, including seven financial institutions: Midland States Bank, First Internet Bank, First Tech Federal Credit Union, Global Federal Credit Union, Pacific Premier Bank, Patelco Credit Union and State Street Bank and Trust Company. 

Despite the multiple institutions whose data got caught up in the Sovos breach, there have been larger breaches stemming from the MoveIt vulnerability, the largest of which, to date, affected Maximus, a government services company. That breach claimed the data of at least 11 million individuals, according to a regulatory filing from the company.

The third largest MoveIt breach by Emsisoft’s counting involved the personal data of customers of Alogent, a deposit automation company. Alogent told the Maine attorney general that it notified “approximately 4,543,850” individuals that a breach involving names, routing numbers, addresses, phone numbers, check payees and remittance amounts stemmed from “a compromise of a server” that exposed “checks processed through Alogent’s customer, Huntington Bank.”

In a similar example, professional services company Ernst & Young notified 30,210 Bank of America customers of a breach involving their “first name or first initial and last name, address, financial account information, debit or credit card numbers, Social Security number and/or other unique government-issued identification numbers.” EY noted that Bank of America’s “systems and servers were not impacted by this event.”

A third example in this mold involved First National Bankers Bankshares and BOM Bank. In a letter to affected consumers, BOM said that it “did not experience a breach of its systems,” but rather that First National, which provides check clearing services to BOM, had notified BOM that an unauthorized party had accessed images of checks and checking account numbers of BOM customers, all by virtue of the MoveIt vulnerability.

Some breaches do not appear to have involved customer data. For example, the Vermont Department of Financial Regulation disclosed in August that 43 companies (mostly insurers) had notified the state regulator of MoveIt-related breaches. Bank of Burlington appeared on that list, but a press release from the company later clarified that no sensitive personally identifiable information “was compromised or ever at risk.”

The following U.S. banks and credit unions have also notified customers of data breaches stemming from the MoveIt vulnerability, or made a regulatory filing disclosing such a breach. Some banks noted that their systems were not compromised but rather that the breach stemmed from a third party’s use of MoveIt.

While few banks have publicly acknowledged MoveIt-related breaches on their website, one exception is Pacific Premier Bank, which was among the banks affected by the Sovos breach.
Pacific Premier advised all of its clients to “be vigilant against attempts at identity theft or fraud” because the MoveIt vulnerability has been “so widespread across government agencies and global enterprises.” The bank lists free methods for remaining vigilant, including by monitoring financial accounts and statements, regularly getting free credit reports and immediately reporting identity theft to local authorities and the Federal Trade Commission via IdentityTheft.gov.


Related Articles