Flagstar paid $1 million bitcoin ransom in 2021, case filings show

Flagstar Bank paid a $1 million bitcoin ransom in late 2021 to access and delete a swath of sensitive customer data hackers had compromised weeks earlier, court documents say. 

A professional ransomware negotiator helped Flagstar leaders make the payment to the perpetrators on Dec. 31, 2021, according to a deposition of the firm's chief information officer taken in January. That data breach, one of three the company has suffered in recent years, impacted over 1.5 million clients. A federal judge last May consolidated multiple class action complaints over the breach from consumers.

The decision to pay was made by then-CEO Alessandro DiNello along with Flagstar's cyber insurance provider, the negotiator and legal counsel, Flagstar CIO Jennifer Charters told attorneys. Charters, when asked by a lawyer if she agreed with the decision to pay, said it depends on the situation. 

"It certainly does not help to incent threat actors by paying them money to stop, I guess, harassing you," said Charters in the deposition. "On the other hand, depending on the situation that anyone is in … I guess I'll say they want to protect information and it could be worth the cost to protect that data and information."

Federal law enforcement recommends companies don't pay ransoms because, in addition to incentivizing criminals, such payments don't guarantee data recovery. While other mortgage firms have faced ransomware demands, it's unclear if they paid hackers.

Neither Flagstar nor attorneys for either party responded to requests for comment Monday. 

The December 2021 incident came 11 months after 1.4 million Flagstar clients had their personally identifiable information ensnared in a cyberattack exploiting a file transfer software. Another 837,390 bank customers were exposed last June in a breach involving a separate file transfer software. It's unclear how many of the company's mortgage customers were involved in each incident. 

Filings in the Angus v. Flagstar case, the one in which Charters was deposed, say anonymous criminals infiltrated Flagstar's network on November 22, 2021, using stolen log-in credentials from a contractor. Within the following three weeks, hackers began to exfiltrate customer PII and deployed ransomware on Dec. 13. 

The criminals sent a ransom note via fax, and a separate email to DiNello, according to Charters' deposition. Once Flagstar negotiated the ransom payment, the response team including the third-party negotiator reached a server provided by the hackers via remote desktop access to delete the stolen Flagstar data.

Plaintiffs, in countering Flagstar's motion to dismiss the complaint, wrote in a March 6 motion that it's unclear whether the exfiltrated PII was definitively deleted. 

"Flagstar has offered no competent evidence establishing what data was stolen and when, who stole it, and what those actors might have done with it during, and for months following, the breach," wrote attorneys for plaintiffs. 

Affected customers also take aim at Flagstar's post-breach monitoring of the dark web for evidence their personal information was shared. Risk advisory firm Kroll, which isn't a named defendant, didn't begin monitoring the dark web until October 2022, 10 months after the breach occurred, according to Charters' deposition. 

A separate expert also conducted a search on the dark web for a plaintiff's data on behalf of Flagstar, for two weeks in late 2022, and plaintiff attorneys paint his analysis as limited in scope. The identity of the culprit is also not disclosed in plaintiffs' motions, nor made clear in either public deposition excerpt.

Plaintiffs are seeking class certification, unspecified damages over $5 million and to enforce numerous cybersecurity measures at the bank. No hearing nor deadline is scheduled for the case. 

In 2022, Flagstar came under the ownership of New York Community Bancorp, the publicly traded business facing prolonged turmoil following a poor fourth quarter earnings. DiNello has since been elevated to CEO, executive chairman and president of NYCB.