Flagstar agrees to $31.5 million data breach settlement

Flagstar Bank has agreed to a $31.5 million settlement to resolve two class action lawsuits stemming from data breaches which impacted over 2 million consumers.

The agreement, pending a Michigan federal judge's approval, will create the fund for approximately 2,187,170 class members, according to case filings in October. The bank suffered two distinct cyberattacks in 2021, including one in which it paid a $1 million ransom to hackers. 

The deal could end prolonged litigation for the $91.7 billion-asset depository, which is remaking itself after moderate financial struggles. Once a sizable bank player in the mortgage space, the company also sold its servicing and third-party origination operations to Mr. Cooper in November 2024.

The settlement, which would be among the largest by a mortgage lender in recent years, amounts to $14.40 per person, according to plaintiffs. The sum is a "more than adequate outcome," wrote counsel for plaintiffs. While various class members would be entitled to different sums, attorneys will request $10.5 million, or a third of the proposed settlement. 

Neither attorneys for the parties nor spokespersons for Flagstar returned requests for comment Monday. The prospective deal also doesn't relate to yet another incident the bank suffered in 2023 via a breach at Fiserv, which affected 837,390 of the bank's customers. 

How Flagstar allegedly suffered two major breaches in a year

The first major data breach occurred because the lender stuck with an aging software rather than migrate to a modern, more secure version, plaintiffs allege. 

The bank used Accellion's File Transfer Appliance, a software that allows the sharing of files which exceed email limits, to share sensitive data including mortgage application information. Accellion rolled out a newer application in 2014, and warned customers it would stop issuing security updates for FTA in November 2020. 

Flagstar was one of 300 holdouts not to make the switch, and one of around 25 FTA users to suffer a significant data theft, plaintiffs said. Once FTA stopped receiving security updates, hackers attacked the platform, and eventually breached Flagstar sometime in January 2021. In March, cybercriminals posted 80 gigabytes of company data on the dark web, where it remained visible as of last year.

Fewer details are known of the second attack, in which hackers infiltrated the company's network in 2021 between November to December. According to the Securities and Exchange Commission, which fined the bank over its misleading disclosures, cybercriminals disrupted mortgage originations and encrypted around 30% of Flagstar's work stations and servers. 

Former Flagstar CEO Alessandro DiNello and a team including a negotiator paid the perpetrators a $1 million bitcoin ransom on Dec. 31, 2021 to access and delete compromised data, according to case filings. 

How the payouts could be issued

Twenty-two named plaintiffs, who allege various grievances stemming from their data being stolen, are eligible for awards of up to $2,500 each, according to the terms of the proposed settlement. 

Class members, should they not opt-out of the settlement, can receive up to $25,000 in reimbursement for monetary losses if they can provide documentation. Victims will also receive three years of credit monitoring services, while 364,000 members who were California residents at the time of the incidents are also eligible to receive $100. 

The settlement fund, which also covers $500,000 of reimbursement to attorneys for litigation costs, also sets aside funds to pay for administrative costs such as distributing notices and claims. Should there be funds left over, class members are eligible to receive residual cash payouts of up to $599. 

What's next for Flagstar

The sides began negotiating a settlement in April, before accepting a mediator's proposal to resolve the case in August. A federal judge has yet to rule on the motion for preliminary approval, which would kick off a series of deadlines including notices sent out 60 days after the ruling. 

The bank hasn't been profitable since the third quarter of 2023 and posted a $45 million net loss in the recent period. Company leaders last month said they're moving in the right direction, such as reducing Flagstar's exposure to previously troublesome multifamily loans, but weren't firm on promising a return to profitability soon.

"Flagstar's financial condition … was an additional factor in proposed class counsel's analysis in concluding that the settlement was fair, reasonable, and adequate, and in the best interests of the class to resolve the case at this time," wrote the interim co-lead attorneys for plaintiffs.