Flagstar Fined $3.5M For Misleading Statements After 2021 Cyberattack
The SEC issued a hefty penalty and cease-and-desist order, barring future misleading statements
Flagstar Bank, now known as Flagstar Financial, Inc., is required to pay $3.5 million to the Securities and Exchange Commission (SEC) for “negligently” making “materially misleading statements regarding a cybersecurity attack on Flagstar’s network” between November 22, and December 25, 2021, which resulted in the theft of personal information among 1.5 million individuals, including customers.
The cyberattack, also known as the “Citrix Breach,” occurred after a hacker gained access to Flagstar’s Citrix environment in late 2021, allowing them to steal customers’ information.
On a 2021 Form 10-K filed March 1, 2022, Flagstar said cyberattacks “may interrupt our business or compromise the sensitive data of our customers,” but the bank did not disclose that it had already experienced such attacks that resulted in a customer data leak and interruptions to its mortgage origination business, according to the SEC order.
Later, the SEC also found a June 2022 notice to customers and an August 2022 securities filing indicating the bank made additional misleading statements regarding the scope of the Citrix breach. Flagstar neither admitted nor denied the commission’s allegations, but still consented to the $3.5 million penalty and the cease-and-desist order that bars the company from making misleading statements in the future.
In an emailed statement, Flagstar's spokesperson said “We are pleased to have resolved the SEC matter. We remain committed to our compliance and regulatory obligations.”
Flagstar previously fell victim to the 2023 breach of file transfer system MOVEIt, which affected about 837,390 Flagstar customers and more than 2,000 organizations.
In October 2024, Flagstar Bank cut its workforce by 8% or 700 employees, the result of Mr. Cooper Group's acquiring of Flagstar's residential mortgage servicing business for $1.3 billion, including their mortgage servicing rights (MSRs), advances, subservicing contracts, and third-party origination (TPO) platform.
Cybersecurity Guidance
Aster Key Co-founder, Brad Blumberg, helps lenders and consumers securely interact during the home shopping process. In reaction to
Flagstar’s $3.5M penalty, Blumberg discusses what lending and financial institutions need to do in order to combat data breaches.
“Cybersecurity is both a technological and cultural challenge,” Blumberg said in an emailed statement. “The C-suite, from small credit unions to mortgage firms of all sizes, must prioritize key actions to mitigate risks. They must implement strict access controls and enforce role-based access... They also need to adopt multi-factor authentication and require it for all devices and systems.”
Blumberg also advises lenders to explore more than the “industry standard” practices for securing sensitive customer information and, perhaps, give consumers more control over their data with secure and private practices.
“Data sharing should also be limited. Companies should be cautious when sharing data with vendors that don’t meet security standards, and re-look at offshoring their customers’ data,” Blumberg added.” They should also advocate changes in outdated systems, such as credit bureau invasive practices and third-party tools that compromise data security.”