Dive Brief:
- Payment processing giant Fiserv was among the companies ensnared in a cyberattack on file transfer platform MOVEit that occurred in late May, the company said. “We are communicating with affected clients and are providing them with resources including notification, identity and credit monitoring, and call center services,” a Fiserv spokesperson said in an email Monday.
- In an undated notification to its customers, Flagstar Bank said Fiserv recently notified the bank of “a cyber incident that involved unauthorized access to Flagstar customer information in one of their file transfer applications,” the web post said. Fiserv, which provides the bank and its related institutions with payment processing and mobile banking services, uses MOVEit file transfer technology.
- Affected Flagstar customers were sent letters of notification Oct. 6 that also included instructions for enrolling in complimentary credit monitoring and identity theft protection services, the bank said in its note. About 837,390 Flagstar customers were affected by the breach, according to the bank’s Oct. 5 filing with the Maine attorney general’s office.
Dive Insight:
MOVEit, a file transfer service owned by Progress Software, is used by financial institutions, companies and government agencies to send and receive large amounts of oftentimes sensitive information. Ransomware group Clop claimed responsibility for the May attack, which has impacted more than 2,100 organizations and exposed the data of 62 million people, researchers have said.
Victims continue to come forward months after the MOVEit attack was discovered, and third-party providers tend to be particularly susceptible, Cybersecurity Dive has reported. Sony confirmed last week it suffered a MOVEit-related breach.
Fiserv provides payment processing, financial technology and merchant acquiring services to thousands of customers. Its rival, Fidelity National Information Services, was also a victim of the MOVEit attack. “While the incident impacted a limited number of our clients, we have communicated with clients whose information was potentially involved,” an FIS spokesperson said in an Oct. 6 email. “We will continue to take appropriate actions to protect our clients.”
The spokesperson for Jacksonville, Florida-based FIS declined to comment on timing and the number of clients affected. The Fiserv spokesperson also didn’t respond to questions regarding when the company learned it was affected by the MOVEit exposure, when Fiserv notified its clients or how many of the Brookfield, Wisconsin-based company’s clients were affected by the cybersecurity incident.
The mega-processors are among the many organizations impacted by the cybersecurity incident, a group that also includes law firms, insurance providers, healthcare firms, education service providers, Cybersecurity Dive has reported. In July, the Securities and Exchange Commission approved a requirement that companies disclose material cybersecurity incidents within four days.
Progress Software announced May 31 it “had discovered a previously unknown vulnerability, also known as a zero-day vulnerability, in its MOVEit file transfer technology,” Flagstar Bank wrote in its note to customers.
“Fiserv informed Flagstar that because of the vulnerability discovered in May, unauthorized actors obtained Fiserv files transferred via MOVEit,” the Hicksville, New York-based bank told customers in the web post. “These files included customer information.”
When the bank learned of the issue, Flagstar said it “took immediate action to ensure that our vendor had launched a comprehensive investigation, identified individuals affected and notified regulatory bodies.”
“To help prevent something like this happening again our vendor has, through their service provider, remediated all technical vulnerabilities and patched systems in accordance with the MOVEit software provider’s guidelines,” Flagstar wrote.
Spokespeople for Flagstar didn’t respond to requests for comment or a question on what share of the bank’s customer base the affected group represents.