Flagstar Bank is providing $31.5 million to settle class action claims stemming from two data breaches in 2021 that exposed the personal information of nearly 2.2 million people. A Michigan federal judge granted preliminary approval to the settlement on February 20, 2026, moving the case closer to final resolution and compensation for affected customers. The breaches, caused by vulnerabilities in file-transfer software from Accellion Inc., represent one of the banking sector’s most significant cybersecurity incidents in recent years.
The settlement comes after Flagstar discovered that hackers exploited outdated Accellion software that the company had failed to patch with available security updates. In March 2021, cybercriminals posted 80 gigabytes of stolen company data on the dark web, and Flagstar subsequently paid hackers $1 million in Bitcoin to delete the compromised information. This settlement addresses the financial and reputational damage to customers whose data was compromised, alongside a separate regulatory settlement with the Securities and Exchange Commission.
Table of Contents
- How Did Flagstar’s Data Breaches Happen and What Was Exposed?
- Who Was Affected and What Was the Scope of the Data Breach?
- What Does the Settlement Provide to Affected Customers?
- How Do You File a Claim for the Flagstar Data Breach Settlement?
- What Security Failures Led to These Breaches and What Should Customers Know?
- What Role Did the Securities and Exchange Commission Play?
- What Does This Settlement Mean for Banking Customers and Future Data Breach Protection?
- Conclusion
How Did Flagstar’s Data Breaches Happen and What Was Exposed?
The breaches stemmed from a critical vulnerability in Accellion’s File Transfer Appliance (FTA), legacy file-transfer software that Flagstar continued to use despite known security risks. The initial breach occurred in January 2021 after Accellion had already stopped providing security updates for the aging platform, leaving the software unpatched against known exploits. This is similar to what happened with other companies that relied on Accellion’s software—over 100 organizations experienced breaches through the same vulnerability in early 2021, illustrating how a single unpatched software flaw can compromise multiple large institutions simultaneously.
The attackers accessed sensitive customer data including names, social Security numbers, account information, and financial details. By March 2021, approximately 80 gigabytes of stolen company data appeared on the dark web, where it was offered for sale to other criminals. Flagstar discovered the breach relatively quickly and took the unusual step of paying $1 million in Bitcoin to hackers in an attempt to have the data deleted, though there is no guarantee that such payments result in actual destruction of stolen information. Approximately 1.5 million individuals were specifically affected by the Citrix-related breach component of this incident.
Who Was Affected and What Was the Scope of the Data Breach?
Nearly 2.2 million people had their personal information exposed through the two 2021 breaches at Flagstar Bank. This large number underscores the scale of the incident and the extensive reach of Flagstar’s operations across the United States. The exposed data included information critical for identity theft: names, addresses, Social Security numbers, account numbers, and in some cases banking and investment account information. For many of these individuals, the breach created an ongoing risk of identity theft and fraud years after the initial incident.
The significance of the affected population extends beyond mere numbers. When a breach affects millions of people, the cascading effects become substantial—credit agencies receive alerts, credit monitoring services become overwhelmed, and victims face the burden of vigilance against fraudulent activity. Unlike breaches affecting smaller companies or specific geographic regions, a breach of this magnitude at a major financial institution touches customers across all 50 states and affects people with varying levels of financial sophistication and ability to monitor their accounts. This widespread exposure is why the settlement compensation includes three years of complimentary credit-monitoring services, providing some protection against the long-term identity theft risk these customers face.
What Does the Settlement Provide to Affected Customers?
class members who can document monetary losses directly resulting from the breach are eligible to receive up to $25,000 in compensation. Those without documented losses will receive a pro rata share of the remaining settlement fund, meaning they receive a portion of any unclaimed money divided equally among all class members. Additionally, all class members automatically receive three years of credit-monitoring services at no cost, helping them detect unauthorized activity and potential identity theft. These three services—direct loss compensation, pro rata distribution, and credit monitoring—form a comprehensive compensation structure designed to address both immediate financial harm and long-term security concerns.
The actual amount each person receives depends on several factors, including the number of valid claims submitted, the amount of documented losses reported, and how the court ultimately distributes the settlement fund. Class members with verified out-of-pocket expenses such as credit-monitoring services they purchased, identity theft losses, or time spent resolving fraud will have the strongest claims for the larger compensation amounts. However, the availability of three years of free credit monitoring represents significant value in itself, as identity theft monitoring services typically cost $15 to $30 per month on the open market. For customers who never experienced quantifiable losses, the credit monitoring alone provides meaningful protection without requiring them to prove specific harm.
How Do You File a Claim for the Flagstar Data Breach Settlement?
Eligible class members will need to submit a claim to receive compensation or activate their credit-monitoring benefits. The claim filing process typically requires submitting documentation of any losses you suffered, which may include receipts from identity theft expenses, bills for credit monitoring services you purchased yourself, or financial records showing unauthorized charges. If you were a Flagstar customer and had information compromised in either the January or March 2021 breaches, you should be considered part of the class automatically, even if you did not receive a direct notification letter. Important limitations apply to the claim process.
You will have a deadline to submit your claim—typically several months from when claim forms become available—and missing this deadline usually means forfeiting your right to compensation. Unlike some settlements that automatically pay all class members, this settlement requires active participation through claim submission. If you’re uncertain whether you were affected, look for notification letters from Flagstar or check whether you held accounts with them during January-March 2021. The court-approved claims administrator will maintain a website with information about how to file and what documentation to submit. Keep records of any identity theft issues, fraudulent charges, or monitoring services you’ve purchased since the 2021 breaches, as these documents will support a higher compensation award.
What Security Failures Led to These Breaches and What Should Customers Know?
The Flagstar breaches highlight a critical security failure: the use of unsupported, outdated software despite known vulnerabilities. Accellion had discontinued security updates for its File Transfer Appliance years before the 2021 attacks, yet Flagstar continued operating the system without implementing compensating security controls or replacing it with more modern alternatives. This represents a preventable failure that exposed millions of customers to unnecessary risk. Other financial institutions also relied on the same outdated Accellion software during this period, demonstrating that this was an industry-wide problem, not unique to Flagstar.
The second security vulnerability concerns data retention and destruction. When Flagstar paid $1 million in Bitcoin to hackers to delete the stolen data, there was no way to verify that the data actually was deleted. Paying ransoms does not guarantee destruction of stolen information, and customers should understand that even after a company pays criminals, their data may remain in circulation on the dark web indefinitely. This limitation is crucial for victims to understand: the settlement and even the ransom payment cannot fully eliminate the ongoing risk of identity theft. Customers must remain vigilant about monitoring their accounts and credit reports for years to come, as criminals can use stolen banking and personal information long after the initial breach is reported.
What Role Did the Securities and Exchange Commission Play?
In addition to the class action settlement, the Securities and Exchange Commission took enforcement action against Flagstar Bancorp for making materially misleading statements about the cybersecurity attack to investors. The SEC determined that Flagstar had not adequately disclosed the risks and severity of the breach in its securities filings and public statements. As part of this enforcement action, Flagstar agreed to pay a $3.55 million civil money penalty to settle SEC charges. This parallel enforcement action is significant because it addresses corporate accountability beyond customer compensation—focusing on whether Flagstar misled shareholders about the incident’s impact and the company’s cybersecurity practices.
The SEC settlement demonstrates that data breaches trigger regulatory consequences beyond class action liability. Public companies must accurately disclose cybersecurity risks and incidents to investors, and failing to do so can result in federal securities charges. For affected customers, the SEC action is relevant because it validates that the breaches represented serious failures that warranted regulatory investigation, not merely a technical incident. The combined $31.5 million class settlement and $3.55 million SEC penalty total over $35 million in financial consequences for Flagstar, reflecting the severity that federal regulators assigned to the incident.
What Does This Settlement Mean for Banking Customers and Future Data Breach Protection?
The Flagstar settlement illustrates both progress and limitations in how the legal system addresses data breaches at financial institutions. The $31.5 million recovery provides meaningful compensation to millions of affected customers, and the automatic inclusion of three years of credit monitoring reflects recognition that breach victims face ongoing identity theft risks. However, the settlement also highlights that compensation, while important, cannot fully restore the situation to pre-breach status. Customers must still remain vigilant about monitoring their accounts and credit reports because the stolen data remains accessible to criminals on the dark web and may be used for years.
Looking forward, this settlement may influence how other financial institutions approach legacy software and security updates. The case demonstrates that failing to patch known vulnerabilities carries substantial legal and financial risks, potentially encouraging faster technology modernization across the banking sector. For banking customers, the takeaway is clear: even large, established financial institutions can experience major breaches, making personal vigilance about account monitoring and credit security essential regardless of which bank you use. The settlement framework—combining direct compensation, credit monitoring, and regulatory enforcement—represents the current standard for major data breach resolution, though advocates continue arguing that stronger mandatory cybersecurity standards could prevent breaches more effectively than post-breach settlements alone.
Conclusion
The Flagstar Bank $31.5 Million Data Breach Class Action Settlement compensates nearly 2.2 million people affected by breaches caused by vulnerabilities in outdated file-transfer software. Class members can receive up to $25,000 in documented losses, pro rata distributions of unclaimed settlement funds, and three years of free credit-monitoring services. The preliminary approval granted by the Michigan federal court in February 2026 moves the settlement toward final resolution, though customers must actively file claims to receive compensation.
If you held a Flagstar Bank account during January-March 2021, take steps now to verify your eligibility for settlement benefits and begin the claim process when claim forms become available. Monitor the settlement’s official website for deadlines and claim submission instructions, gather documentation of any identity theft or fraud losses you’ve suffered since the breaches, and activate the complimentary credit-monitoring services once they become available. The settlement represents a form of justice and financial recovery, but your ongoing personal vigilance remains essential because the stolen data continues to pose identity theft risks.