fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Flagstar Bank Hit By Data Breach Exposing Customer, Employee Data

Flagstar Bank Hit By Data Breach Exposing Customer, Employee Data

US bank and mortgage lender Flagstar has disclosed a data breach after the Clop ransomware gang hacked their Accellion file transfer server in January.

In December, threat actors affiliated with the Clop ransomware gang began exploiting vulnerabilities in Accellion FTA servers used by organizations to share sensitive files with people outside of their organization. 

On Friday, Flagstar Bank issued a security disclosure on their website and began emailing customers about a breach of their Accellion FTA server.

“Accellion, a vendor that Flagstar uses for its file sharing platform, informed Flagstar on January 22, 2021, that the platform had a vulnerability that was exploited by an unauthorized party. After Accellion informed us of the incident, Flagstar permanently discontinued use of this file sharing platform.

“Unfortunately, we have learned that the unauthorized party was able to access some of Flagstar’s information on the Accellion platform and that we are one of numerous Accellion clients who were impacted,” Accellion warned in the security advisory.

When we contacted Flagstar Bank on Friday with questions about the data breach, the bank directed us to their already published advisory.

However, BleepingComputer has learned that Flagstar was breached not by the original December zero-day vulnerability, which they had patched, but for a new vulnerability utilized by threat actors in January.

Also Read: The 5 Benefits Of Outsourcing Data Protection Officer Service

After threat actors stole their data, BleepingComputer was told Flagstar received a ransom note demanding a bitcoin payment or the data would be released. Below is an example of a ransom note received by Accellion victims.

Example Accellion ransom note received by victims
Example Accellion ransom note received by victims

Ransom demands associated with Accellion attacks have ranged as high as $10 million in bitcoin.

Ransomware gang publishes stolen data

Flagstar utilized their Accellion FTA server to send and receive sensitive documents with their partners and customers.

Today, after Flagstar began notifying victims of the data breach, the Clop ransomware gang released screenshots of stolen data with a warning that it had stolen a lot more personal data.

The shared screenshots illustrate the types of sensitive customer and employee information stolen, including social security numbers, names, addresses, phone numbers, and tax records.

Screenshots of Flagstar data shared on Clop ransomware site
Screenshots of Flagstar data shared on Clop ransomware site

While the ransomware gang has only shared a few screenshots of stolen data, as Flagstar is a bank and mortgage lender, it should be assumed that the threat actors stole further documents containing sensitive information.

Based on the numerous Accellion data leaks published by the Clop gang, it is clear that they are behind all of these attacks and will continue to publish stolen data as victim’s disclose their attacks.

Unfortunately, this means we will likely see further data breaches associated with Accellion FTA hacks soon.

Also Read: How To Prevent WhatsApp Hack: 7 Best Practices

Other victims associated with Accellion FTA attacks are SingtelBombardier, QIMR Berghofer, Washington’s State Auditor officeNew Zealand Reserve BankNSW for Transport, Fugro, Jones Day, Danaher, and the ABS Group.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us