Flagstar Financial, Inc., agreed to pay $31.5 million to consumers who filed a class action lawsuit, claiming the bank failed to protect their personally identifying information (PII) in a pair of data breaches, which occurred in consecutive years.
More than 2.1 million consumers were represented in an unopposed motion urging the Ninth Circuit Court of Appeals to order the bank to redress customers harmed by either or both of the breaches it experienced in 2021 and 2022.
The settlement fund requested by the plaintiffs would provide reimbursement for documented monetary losses of up to $25,000, three years of credit monitoring services, California statutory payments of up to $100 and residual cash payments of up to $599.
In December 2024, Flagstar agreed to a $3.55 million settlement with the Securities and Exchange Commission (SEC) for making what the agency described as “materially misleading statements” regarding a cybersecurity attack on Flagstar’s network in late 2021, also known as the “Citrix Breach.”
“During December 2021, the Citrix Breach intermittently disrupted Flagstar’s mortgage business, including impacting the bank’s ability to originate, service, and close loans,” the SEC consent order stated. “As a result of the Citrix Breach, Flagstar shut down its network for several hours, rebuilt or restored hundreds of its servers that supported bank-wide business operations, and reset passwords for thousands of Flagstar employees and contractors throughout December 2021. The Citrix Breach also intermittently impacted access to Flagstar’s website, certain mobile applications and Flagstar’s customer call center in December 2021.”
The breach occurred when “international cyber criminals” discovered and exploited a critical vulnerability in an online gateway, maintained by Citrix NetScaler ADC and NetScaler Gateway, to gain intermittent access to its internal network between Oct. 13, 2018, and Mar. 8, 2019. The attackers targeted several accounts, trying weak or common passwords until they gained access to the network. From there, the intruders exfiltrated business documents and a drive tied to a web-based consulting tool.
For more Dodd Frank Update coverage of matters related to data privacy and the CFPB’s efforts to implement Sec. 1033 of the Dodd-Frank Act, visit the “Data Privacy Vault” – a resource library holding all of our coverage of every volley in the ping-pong match between the finance industry and regulators over how to be protect consumers’ sensitive data in the rapidly evolving virtual financial marketplace.