Flagstar Bank Hit with Class Action Over December 2021 Data Breach Affecting 1.5M Customers

New to ClassAction.org? Read our Newswire Disclaimer

Flagstar Bank faces a proposed class action lawsuit over a late 2021 data breach during which the information of more than 1.5 million consumers was reportedly compromised.

The 61-page lawsuit alleges that Flagstar’s failure to properly safeguard its customers’ sensitive information allowed cybercriminals to access the bank’s network between December 3 and 4, 2021. According to the suit, the data compromised in the breach included 1,547,169 current and former customers’ names, addresses, Social Security numbers, financial details and “other” types of information.

The lawsuit contends that Flagstar Bank, who the case notes is the second-largest savings bank in the country, has exposed its customers to a lifetime risk of identity theft and fraud.

Per the case, Flagstar discovered on or before June 2, 2022 that information had been exfiltrated from its system but has not publicly revealed when it first learned of the data breach. It wasn’t until June 17, 2022, however, that the bank reported the incident to the Maine attorney general, the suit relays.

According to the complaint, “[t]ime is of the essence” when consumers’ personally identifiable information has been exposed to unauthorized access. Flagstar nevertheless took more than six months to discover the breach and notify those whose information was affected, the case argues. The suit claims this delay has left data breach victims “exposed, without knowledge or recourse, for the entirety of that time.”

Moreover, Flagstar has yet to disclose the root cause of the breach and exactly what information was accessed, the case says.

The lawsuit goes on to criticize Flagstar’s offer of 24 months of free credit monitoring and identity repair services through Kroll, arguing that such services are inadequate to protect data breach victims from the “lifelong implications” of having their personal information accessed and published on the internet. The suit looks to provide enough money to pay for identity theft protection services for victims’ respective lifetimes.

Per the case, Flagstar’s failure to prevent the December 2021 data breach was especially egregious given the bank had been subject to another data breach earlier last year. According to the complaint, Flagstar learned in January 2021 that an unauthorized actor had accessed its vendor’s file sharing platform, where current and previous customers’ information had been stored. Despite the bank’s assertions that it was taking steps to secure customers’ data in the wake of the earlier breach, Flagstar’s systems were again accessed without authorization less than a year later, the suit says.

The lawsuit looks to represent anyone in the U.S. whose personally identifiable information was accessed or acquired by an unauthorized party as a result of the data breach reported by Flagstar Bank on or around June 17, 2022.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.