Do you have an account with Michigan-based Flagstar Bank?  As one of the largest banks in the United States, it’s quite possible that you do.

If so, be aware that the company recently issued a breach disclosure notification relating to a security incident that occurred in December of 2021 when unknown attackers breached the company’s network.

The notification reads in part, as follows:

“…Upon learning of the incident, we promptly activated our incident response plan, engaged external cybersecurity professionals experienced in handling these types of incidents, and reported the matter to federal law enforcement. 

We have no evidence that any of the information has been misused. Nevertheless, out of an abundance of caution, we want to make you aware of the incident.”

The company also announced that they would be offering two free years of identity monitoring services to impacted individuals.

That’s good because based on information that Flagstar submitted to the Maine Attorney General’s office, there are a lot of impacted individuals.  More than a million and a half, in fact.

While there’s nothing outwardly wrong with the breach notification that the company sent out, there are two key pieces of information that are conspicuously absent.

First, there’s no explanation as to why it took the company half a year to realize that the breach had occurred.

Second, the notification gives no information about exactly what types of information that the attackers made off with.  Is it enough for a hacker to steal one’s identity?  Based on Flagstar’s offering identity monitoring protection, that would seem to be the case. However, there are no particulars provided, so we are left to guess.

In our view, this could have been handled better.  Here’s hoping that Flagstar is more forthcoming in the days ahead.