A Michigan federal judge has granted preliminary approval to a $31.5 million settlement resolving consolidated class action claims that Flagstar Bank failed to adequately protect personal information during two major data breaches that exposed sensitive data of more than 2 million people.
U.S. District Judge Matthew F. Leitman signed off on the motion Friday during a remote hearing, directing counsel to submit a proposed order reflecting all relief components. The settlement, if finally approved, would provide nationwide relief to approximately 2.1 million class members affected by the 2021 and 2022 incidents.
The litigation stems from Flagstar’s use of Accellion Inc.’s file transfer platform, which cybercriminals exploited in early 2021, compromising personally identifiable information of nearly 1.5 million individuals. A second breach in 2022 hit the bank’s internal network, affecting another ~1.5 million people (with some overlap).
Plaintiffs alleged Flagstar knew of serious security vulnerabilities in the Accellion system yet continued relying on it, leading to unauthorized access to names, Social Security numbers, driver’s license numbers, financial account details, and other sensitive data.
Under the proposed deal:
