News and resources on cyber and physical threats to banks and fintechs worldwide.
Hackers publish bank employee data

Hackers publish bank employee data

Crooks have allegedly posted the personal details of several employees of Flagstar Bank, which is the latest financial institution to suffer a data breach thanks to a vulnerability with file sharing software from vendor Accellion.

According to Vice, hacking group C10p posted the alleged names, social security numbers and home addresses of 18 bank employees on the dark web and then emailed the publication to advertise the fact.

The hackers are threatening to publish more of the bank's data - including on clients - if they do not receive a payment.

Earlier, Michigan-based Flagstar issued a statement saying that that Accellion told it on 22 January about a vulnerability with its platform that was exploited by an unauthorised party.

The bank permanently discontinued use of the file sharing platform but has since learned that "the unauthorised party was able to access some of Flagstar’s information on the Accellion platform".

Flagstar says it has called in third-party forensic experts to investigate and will notify any affected customers once a review of the data is completed.

"The Accellion platform was segmented from the rest of our network, and our core banking and mortgage systems were not affected," says the statement.

Flagstar notes that it is one of "numerous" Accellion clients affected by the breach. So far, the Reserve Bank of New Zealand and the Australian Securities and Investments Commission have identified themselves as victims.

Comments: (2)

Andrew Smith
Andrew Smith - RTGS & ClearBank - London 09 March, 2021, 10:57Be the first to give this comment the thumbs up 0 likes

What is employee data and customer data doing on a file sharing system? It seems to me there isnt a single day that goes by where the need for SSI (Self-Sovereign Identitiy) isnt illustrated by such security challenges.

Its time that we as financial services understood what data we really need to hold, and what data should be presented to us. Only then will we understand that data is a liability - not an asset 

Louisa Southey
Louisa Southey - Contengo Ltd - Abingdon 09 March, 2021, 16:441 like 1 like

Absolutely agree, with Andrew, personal details are not necessary most of the time, so only at point of need should they be revealed. Vast teams of software developers are able to access personal data that they simply don't need to know and therefore present an unnecessary security risk.