Hicksville-based Flagstar bank to pay $3.6M fine for misleading customers, investors
New York Community Bancorp’s newly rebranded Flagstar Financial Inc. headquarters in Hicksville, following the company’s October 2024 corporate name change and branch rebranding. Credit: Rick Kopstein
A Hicksville-based bank has agreed to pay $3.6 million to resolve allegations that it misled customers and investors about a cyberattack in which hackers stole the personal information of 1.5 million people, federal officials said this week.
Flagstar Financial Inc., formerly New York Community Bancorp Inc., settled with the U.S. Securities and Exchange Commission without admitting or denying the findings of an agency investigation, according to a seven-page report from the SEC.
The cyberattack, which took place in late 2021, targeted Flagstar Bank in Michigan before it was purchased by NYCB one year later. NYCB changed its corporate name to Flagstar in October, after adopting the name for all of its branches on Long Island and elsewhere.
Both Flagstar and NYCB are public companies.
In 2022, the bank “negligently made materially misleading statements” about the cyberattack in securities filings and in a notice to customers posted on its website. For example, the cyberattack and its impact were omitted from the March 2022 annual report to shareholders, and a June 2022 notice to customers failed to disclose the magnitude of the attack that had occurred six months earlier, the SEC report states.
On Thursday, Flagstar issued a statement in response to a request from Newsday for comment: "We are pleased to have resolved the SEC matter. We remain committed to our compliance and regulatory obligations."
The 1.5 million people whose personal information was compromised in the Nov. 22-Dec. 25, 2021, cyberattack represented about one-quarter of the bank's customers at the time. A firm hired by the bank “did not identify evidence that customer data was posted…on the dark web,” the SEC said, citing the bank’s internal review.
However, days after the attack ended, the bank "made a ransom payment in exchange for the threat actor’s promise to allow Flagstar to delete the [personal information] in the threat actor’s possession,” states the agency.
The ransom was paid in $1 million worth of bitcoin, according to court documents in a federal lawsuit filed by customers.
The SEC found that the bank wasn’t forthcoming with customers about the nature of the cyberattack. In its description of the attack in the customer notice, the bank “included no details about the scope or consequence of the Citrix Breach and instead described the steps it took to respond,” the agency said.
The cyberattack was one of three against the bank. The others occurred in early 2021 and in June 2023, records show.
The bank has been struggling for months.
In February, its stock price plummeted – from $10 per share to less than $3 per share – on news of a $2.4 billion charge against last year’s earnings over problems with loans for office buildings and rent-controlled apartment buildings.
The fallout led to the resignation of then-CEO and President Thomas R. Cangemi. Board member Alessandro “Sandro” DiNello temporarily succeeded him and arranged a $1.1 billion cash infusion in March from an investors’ group led by Steven Mnuchin, the former U.S. treasury secretary in President Donald J. Trump's first administration.
DiNello was CEO of Flagstar during the 2021 cyberattack, prior to the buyout by NYCB.
Without last spring's cash infusion, the bank – then operating as NYCB – would have failed, Newsday previously reported.
In recent months, the bank has replaced most of its top management, sold its mortgage servicing and third-party loan origination units and announced plans to lay off 700 employees.
James T. Madore writes about Long Island business news including the economy, development, and the relationship between government and business. He previously served as Albany bureau chief.
