Flagstar latest of 60 banks affected by MoveIt breaches

The fallout from a security vulnerability in commonly used file transfer software continues for the financial industry. Since July, an additional 35 banks have reported breaches of customers' personal data stemming from the vulnerability, bringing the total number of affected banks to 60.

The latest example is Fiserv and Flagstar Bank, which together suffered one of the largest data breaches stemming from the vulnerability. The bank notified 837,390 customers this month that a breach at Fiserv, which the bank uses for "payment processing and mobile banking," had compromised their data. It was the smallest of the three breaches the bank's customers had suffered in the past three years.

A spokeswoman for Flagstar Bank said the bank, after learning about the breach from Fiserv, "took immediate action" to ensure Fiserv launched an investigation into which bank customers were affected by the data breach and that Fiserv "remediated all technical vulnerabilities and patched systems in accordance with the MoveIt software provider's guidelines."

In May, ransomware group Cl0p began exploiting a since-patched vulnerability in file-transfer software MoveIt to steal data from thousands of organizations, according to cybersecurity firm Emsisoft. As of Wednesday, Emsisoft had tallied 66,148,393 individuals whose data had been compromised by the vulnerability. The tally is derived from public disclosures, such as in state breach notifications and SEC filings, but also includes claims of breaches made on Cl0p's victim-shaming website.

Some of the banks that have newly reported that their data had been compromised did not even use MoveIt software directly. Rather, they had their data stolen because of a breach at a third-party provider using MoveIt.

For example, compliance tech company Sovos has reported to the state attorneys general of Maine and California that it is sending data breach notifications to customers at multiple companies, including seven financial institutions: Midland States Bank, First Internet Bank, First Tech Federal Credit Union, Global Federal Credit Union, Pacific Premier Bank, Patelco Credit Union, and State Street Bank and Trust Company.

There are two banks with the name "State Street Bank and Trust Company." A spokeswoman for the smaller one based in Quincy, Illinois said her institution was not involved with any MoveIt breaches and that the institution has no affiliation with the larger State Street Bank and Trust Company based in Boston, Massachusetts. A spokesman for the Boston-based bank was not immediately available for comment.

A spokeswoman for Patelco Credit Union emphasized that Sovos suffered a breach and that the incident was not a result of a breach at the credit union. She also noted that Sovos immediately took the steps necessary to remediate the breach.

Cyber security

When your vendor's vendor has sloppy security

A security breach that left 24 million mortgage documents unprotected on a server is rekindling concerns about the risks posed by fourth parties.

By Penny Crosman

February 13

Despite the multiple institutions whose data got caught up in the Sovos breach, there have been larger breaches stemming from the MoveIt vulnerability, the largest of which, to date, affected Maximus, a government services company. That breach claimed the data of at least 11 million individuals, according to a regulatory filing from the company.

The third largest MoveIt breach by Emsisoft's counting involved the personal data of customers of Alogent, a deposit automation company. Alogent told the Maine attorney general that it notified "approximately 4,543,850" individuals that a breach involving names, routing numbers, addresses, phone numbers, check payees and remittance amounts stemmed from "a compromise of a server" that exposed "checks processed through Alogent's customer, Huntington Bank."

In a similar example, professional services company Ernst & Young notified 30,210 Bank of America customers of a breach involving their "first name or first initial and last name, address, financial account information, debit or credit card numbers, Social Security number, and/or other unique government-issued identification numbers." EY noted that Bank of America's "systems and servers were not impacted by this event."

A third example in this mold involved First National Bankers Bankshares and BOM Bank. In a letter to affected consumers, BOM said that it "did not experience a breach of its systems," but rather that First National, which provides check clearing services to BOM, had notified BOM that an unauthorized party had accessed images of checks and checking account numbers of BOM customers, all by virtue of the MoveIt vulnerability.

Some breaches do not appear to have involved customer data. For example, the Vermont Department of Financial Regulation disclosed in August that 43 companies (mostly insurers) had notified the state regulator of MoveIt-related breaches. Bank of Burlington appeared on that list, but a press release from the company later clarified that no sensitive personally identifiable information "was compromised or ever at risk."

The following U.S. banks and credit unions have also notified customers of data breaches stemming from the MoveIt vulnerability, or made a regulatory filing disclosing such a breach. Some banks noted that their systems were not compromised but rather that the breach stemmed from a third party's use of MoveIt.

• Aloha Pacific Federal Credit Union
• AmeriServ Financial Bank
• Bank OZK
• BankGloucester
• BankNewport
• Chevron Federal Credit Union
• Dow Credit Union
• Enterprise Bank
• First Farmers Bank & Trust
• First Fed Bank
• First National Bank of Omaha
• Horizon Bank
• Leader Bank
• Lincoln Savings Bank
• M&T Bank Corporation
• Mauch Chunk Trust Company
• MidFirst Bank
• Northern Bank and Trust
• Park National Bank
• Primis Bank
• Space Coast Credit Union
• Stockman Bank
• University Federal Credit Union
• Valley Bank

While few banks have publicly acknowledged MoveIt-related breaches on their website, one exception is Pacific Premier Bank, which was among the banks affected by the Sovos breach.
Pacific Premier advised all of its clients to "be vigilant against attempts at identity theft or fraud" because the MoveIt vulnerability has been "so widespread across government agencies and global enterprises." The bank lists free methods for remaining vigilant, including by monitoring financial accounts and statements, regularly getting free credit reports, and immediately reporting identity theft to local authorities and the Federal Trade Commission via IdentityTheft.gov.