Flagstar Bank has agreed to pay $31.5 million to settle class action claims stemming from two separate data breaches in 2021 that exposed the Social Security numbers, tax records, and personal information of approximately 1.5 million customers. The settlement, which received preliminary approval on February 20, 2026, from U.S. District Judge Matthew F. Leitman in the Eastern District of Michigan, offers affected individuals a pro rata cash payment from the net settlement fund without requiring any proof that the breaches actually harmed them.
That distinction matters — most data breach settlements force you to document identity theft or fraud before you see a dime, but here, simply being a member of the roughly 2,187,170-person class is enough to qualify for a payout. Beyond the no-proof-required cash distribution, class members who did suffer documented losses — fraudulent charges, costs associated with identity theft, time spent dealing with the fallout — can claim up to $25,000 in reimbursement with supporting documentation. The settlement also includes three years of credit monitoring services. Notices are expected to go out by late April 2026, and while the claim filing deadline has not yet been publicly announced, affected individuals should watch their mail closely.
Table of Contents
- How Did the $31.5M Flagstar Bank Settlement Come About After Two 2021 Data Breaches?
- What Can Class Members Actually Claim — and What Are the Limitations?
- The SEC Enforcement Action Against Flagstar — A Separate Problem
- How to File a Claim When Notices Go Out
- Why “No Proof of Harm” Settlements Are Still Unusual — and Why It Matters Here
- Flagstar’s Response and the Ransomware Payment
- What Happens Next and What to Watch For
- Frequently Asked Questions
How Did the $31.5M Flagstar Bank Settlement Come About After Two 2021 Data Breaches?
The settlement resolves consolidated class action lawsuits tied to two distinct cyberattacks that hit Flagstar in rapid succession during 2021. The first breach originated through Accellion, a third-party file-sharing platform that Flagstar used for transferring sensitive documents. Hackers exploited a vulnerability in Accellion’s system between December 2020 and January 2021, and the Clop ransomware gang claimed responsibility, going so far as to release screenshots of the stolen data online. Flagstar was notified of the compromise on January 22, 2021, but by then the damage was done — customer names, Social Security numbers, addresses, phone numbers, and tax records had already been exfiltrated.
The second breach came just months later, between November and December 2021, when attackers penetrated Flagstar’s Citrix environment. This attack was arguably more destructive from an operational standpoint: the hackers stole credentials, deployed ransomware, and encrypted approximately 30 percent of Flagstar’s workstations and servers. The disruption was severe enough to interfere with the bank’s mortgage origination business. Reports indicate that Flagstar paid a $1 million Bitcoin ransom to the attackers in exchange for a promise to delete the compromised data — a decision that, regardless of its effectiveness, underscores how seriously the bank viewed the threat. Together, these two incidents exposed the sensitive financial data of roughly 1.5 million individuals and set the stage for the consolidated litigation that produced this $31.5 million settlement.
What Can Class Members Actually Claim — and What Are the Limitations?
The settlement creates two tiers of compensation. The first tier requires no proof of harm whatsoever. If you were among the approximately 2,187,170 individuals identified as class members, you are eligible for a pro rata share of the net settlement fund — meaning whatever money remains after attorney fees, administrative costs, and service awards gets divided among everyone who files a valid claim. The exact per-person amount will depend on how many people actually submit claims, which is always the wildcard in settlements like this. If participation is low, individual payouts could be meaningful. If a large percentage of the class files, the checks will be smaller.
The second tier is for class members who can document actual out-of-pocket losses connected to the breaches. This includes expenses like fees paid for credit monitoring or identity theft protection services, unreimbursed fraudulent charges, costs associated with freezing or unfreezing credit, and even time spent dealing with breach-related problems. Claims under this tier can reach up to $25,000, but you will need receipts, statements, or other supporting documentation. One important limitation: losses must be reasonably traceable to the Flagstar breaches specifically. If you had your identity stolen but cannot connect it to these incidents — say, because your data was also compromised in unrelated breaches around the same time — your claim for documented losses could face scrutiny. The no-proof tier, however, sidesteps that problem entirely.
The SEC Enforcement Action Against Flagstar — A Separate Problem
The class action settlement is not the only legal consequence Flagstar has faced. The Securities and Exchange Commission separately charged the bank — now operating as Flagstar Financial, Inc. — for making materially misleading statements to investors about the severity of the 2021 cyberattack. According to the SEC’s findings, Flagstar downplayed the breach in its public disclosures, painting a less alarming picture than the facts warranted.
For a publicly traded financial institution holding sensitive customer data, that kind of misrepresentation strikes at the heart of investor trust. Flagstar agreed to pay a $3.55 million civil penalty to resolve the SEC charges. While that figure is modest compared to the $31.5 million class action settlement, the SEC action carries a different kind of sting — it is a formal finding by a federal regulator that the company was not straight with its investors about a cybersecurity incident. For consumers, this detail matters because it validates what the plaintiffs in the class action alleged all along: that Flagstar’s handling of the breaches was inadequate, not just in terms of prevention but in terms of transparency afterward. The SEC enforcement action and the class action settlement are legally separate proceedings, but they tell the same story from two different angles.
How to File a Claim When Notices Go Out
Class members should expect to receive notice of the settlement by approximately late April 2026, which is within 60 days of the February 20 preliminary approval. These notices will arrive by mail or email and will include instructions for filing a claim, along with the deadline for doing so. As of early March 2026, the specific claim filing deadline and final approval hearing date have not yet been publicly announced — those dates are expected to be set after the notice period begins. When it comes time to file, you will face a choice between the two compensation tiers. If you simply want the no-proof pro rata payment, the process should be straightforward: confirm your identity as a class member and submit the claim form.
If you are pursuing documented losses up to $25,000, you will need to gather evidence before filing. Bank statements showing fraudulent charges, receipts for credit monitoring services you purchased, records of time spent on the phone with banks or credit bureaus — all of this strengthens a documented loss claim. The tradeoff is effort versus payout. The no-proof claim requires minimal work but yields a smaller and uncertain amount. The documented loss claim demands more preparation but can result in significantly higher compensation. For people who spent real time and money cleaning up after identity theft, the higher tier is worth the paperwork.
Why “No Proof of Harm” Settlements Are Still Unusual — and Why It Matters Here
Most data breach settlements require class members to demonstrate some form of actual harm before they can collect anything beyond credit monitoring. You typically need to show that someone opened a fraudulent account in your name, that unauthorized charges appeared on your statements, or that you incurred measurable costs responding to the breach. This creates a frustrating catch-22: millions of people have their data exposed, but only a fraction can prove concrete financial harm — and those who cannot prove it walk away with nothing despite being equally at risk. The Flagstar settlement departs from that norm by offering a pro rata cash payment to all class members regardless of whether they experienced documented harm.
This structure acknowledges a reality that courts and plaintiffs’ attorneys have increasingly recognized — that the exposure of Social Security numbers and tax records creates a lasting, ongoing risk that may not manifest for years. Your data does not become safe just because nobody has misused it yet. However, there is a limitation worth noting: “no proof required” does not mean “guaranteed large payout.” The net fund gets divided among all claimants, so if participation is high, individual payments could be relatively small. Named plaintiffs — 22 individuals in this case — are eligible for service awards of up to $2,500 each for their role in bringing the litigation, which comes off the top before the fund is distributed.
Flagstar’s Response and the Ransomware Payment
One of the more striking details in this case is Flagstar’s reported decision to pay a $1 million Bitcoin ransom to the attackers behind the second breach. Ransom payments remain deeply controversial in cybersecurity circles.
Law enforcement agencies, including the FBI, generally advise against paying because it funds criminal enterprises and provides no guarantee that stolen data will actually be deleted. In Flagstar’s case, the bank apparently concluded that the risk of the data being released or sold was serious enough to justify the payment. Whether that ransom actually resulted in the deletion of compromised data is, practically speaking, unverifiable — you are taking criminals at their word.
What Happens Next and What to Watch For
The settlement is still in its preliminary phase. After notices go out in the spring of 2026, the court will set a final approval hearing where objections can be raised and the terms finalized. Assuming final approval is granted, the claims process will open and class members will have a defined window to submit their forms.
Given the size of the class — over 2.1 million people — the administrative process of distributing payments will likely take several months after the final approval. For anyone affected by the Flagstar breaches, the immediate step is to watch for your notice and not discard it as junk mail. Beyond this particular settlement, the case serves as a reminder that financial institutions holding sensitive data remain high-value targets for ransomware gangs, and that the consequences of a breach can take years to fully resolve. The combination of the $31.5 million class action settlement and the SEC’s $3.55 million penalty puts the total cost of Flagstar’s 2021 cybersecurity failures at over $35 million — a figure that does not even account for the reputational damage or the operational disruption caused by having 30 percent of the company’s workstations encrypted.
Frequently Asked Questions
Do I need to prove identity theft or fraud to get money from the Flagstar settlement?
No. The settlement includes a pro rata cash payment available to all class members without any proof of harm. If you were identified as part of the affected class, you can file a claim and receive a share of the net settlement fund. Documented losses allow you to claim up to $25,000, but they are not required for a basic payout.
How do I know if I am a class member in the Flagstar data breach settlement?
The class includes approximately 2,187,170 individuals whose data was compromised in the two 2021 breaches. You should receive a notice by mail or email by approximately late April 2026. If you were a Flagstar Bank customer during 2021 and received a breach notification letter at the time, you are likely a class member.
What is the deadline to file a claim?
As of March 2026, the specific claim filing deadline has not yet been publicly announced. It will be set after the notice period begins, which is expected within 60 days of the February 20, 2026 preliminary approval. Watch your mail for the official notice, which will include all relevant deadlines.
How much money will each class member receive?
The exact per-person amount depends on how many of the 2.1 million class members file claims. The net settlement fund — after deductions for attorney fees, administrative costs, and service awards — will be divided pro rata among all claimants who file for the no-proof payment. Historically, data breach settlements with large classes produce individual payments ranging from a few dollars to a few hundred dollars, though the outcome varies significantly based on participation rates.
Is the Flagstar settlement related to the SEC fine?
They are separate legal actions. The $31.5 million class action settlement compensates affected consumers, while the SEC’s $3.55 million civil penalty was imposed because Flagstar made materially misleading statements to investors about the severity of the breaches. The SEC action does not directly benefit individual consumers, but it reinforces the findings about Flagstar’s handling of the incidents.
Does the three years of credit monitoring start now or after final approval?
Credit monitoring services will be provided as part of the settlement, but the enrollment details and start date will be specified in the claim process materials. Typically, credit monitoring begins after final approval of the settlement and completion of the claims process, not from the date of preliminary approval.
You Might Also Like
- Proof Required Or Not: What The Capital Health Data Breach Settlement Actually Needs
- Proof Required Or Not: What The 23andMe Customer Data Security Breach Settlement Actually Needs
- Proof Required Or Not: What The SiriusXM Robocall And Telemarketing Settlement Actually Needs