Flagstar Bank $31.5 Million Data Breach Settlement, Who Is Eligible, What You Can Claim, and What Comes Next

ByAll About Lawyer Reading Time: 8 minutes

A preliminarily approved $31.5 million class action settlement against Flagstar Bank resolves two data breaches — one in January 2021 and a second in late 2021 — that may have compromised the personal information of more than 2.1 million customers and employees. The settlement covers all individuals in the United States whose personally identifying information was impacted by either or both data breaches Flagstar experienced in 2021, as reflected in the class list, and court documents estimate the settlement class consists of approximately 2,187,170 individuals, including 364,000 California residents. 

Eligible class members can file claims for up to $25,000 in documented monetary losses, three years of credit monitoring, or a residual cash payment once the official claim portal opens.

Quick Facts

  • Lawsuit Type: Consumer and employee data breach class action
  • Case Name: Angus et al. v. Flagstar Bank N.A., Case No. 2:21-cv-10657-MFL-DRG
  • Court: U.S. District Court, Eastern District of Michigan
  • Defendant: Flagstar Bank N.A. (now Flagstar Financial, Inc.)
  • Settlement Amount: $31,500,000
  • Settlement Status: Preliminarily approved — February 20, 2026
  • Who May Be Affected: Approximately 2.1 million class members nationwide affected by the 2021 incidents — customers and employees whose personally identifiable information was compromised
  • Claim Deadline: To be announced — official settlement website not yet live as of March 4, 2026
  • Final Approval Hearing: Date to be set by the court
  • Settlement Administrator: To be confirmed — check back at this page for the official settlement website link once it becomes available

Current Status and What Happens Next

U.S. District Judge Matthew F. Leitman granted preliminary approval on February 20, 2026 to the proposed $31.5 million settlement resolving consolidated class claims that Flagstar Bank failed to protect the personal information of customers and employees in two data breaches impacting more than 2 million people.

Here is where things stand and what to expect next:

  • Preliminary approval granted — Judge Leitman signed off on February 20, 2026.
  • Official settlement website not yet live — the court-approved Flagstar Bank settlement website, where consumers can submit a claim form, was not yet live as of late February 2026. The claim portal will be activated after the court issues its formal preliminary approval order.
  • Claim deadline — the deadline to file a claim will be posted on the official settlement website once it launches. Class members should monitor this page for updates.
  • Final approval hearing — a hearing date will be set by the court; final approval must occur before any payments are distributed.
  • Payments — class members cannot expect to receive benefits until the court grants final approval to the Flagstar Bank data breach settlement. All checks must be cashed within 90 days of issuance before they expire.
  • Payment options — Flagstar Bank class members may elect to receive their payments by check or electronic payment upon filing a claim.

What the Lawsuit Alleges

The litigation stems from Flagstar’s use of Accellion Inc.’s file transfer platform, which cybercriminals exploited in early 2021, compromising personally identifiable information of nearly 1.5 million individuals. Plaintiffs alleged Flagstar failed to upgrade to a more secure version of the software even after the vendor warned it would stop issuing security updates.

Flagstar was one of 300 holdouts who did not make the switch to a newer application, and one of around 25 file transfer appliance users to suffer a significant data theft. Once the platform stopped receiving security updates, hackers attacked it and eventually breached Flagstar sometime in January 2021. In March 2021, cybercriminals posted 80 gigabytes of company data on the dark web.

A second breach in late 2021 hit the bank’s internal network, affecting another approximately 1.5 million people, with some overlap between the two groups. The lawsuit also alleged delayed consumer notification — the bank did not inform customers that critical pieces of their personal information were stolen until June 17, 2022, months after the second breach occurred.

Flagstar denies all wrongdoing but agreed to settle to avoid the cost and uncertainty of continued litigation.

Who Could Be Included — Class Definition

The settlement covers all individuals in the United States whose personally identifying information was impacted by either or both data breaches Flagstar experienced in 2021, as reflected in the class list.

The settlement fund benefits a nationwide class of more than 2.1 million consumers whose personally identifying information was impacted by either or both of the data breaches. This includes both Flagstar customers and employees whose data was stored on the affected systems.

California subclass: Approximately 364,000 class members who were California residents at the time of the incidents are also eligible to receive a one-time California statutory cash payment of up to $100.

Personal information types that may have been exposed include names, Social Security numbers, addresses, phone numbers, dates of birth, and financial account information.

Flagstar Bank $31.5 Million Data Breach Settlement, Who Is Eligible, What You Can Claim, and What Comes Next

Settlement Details

Total Settlement Fund

Flagstar Financial, Inc. agreed to pay $31.5 million to resolve the class action lawsuit. The fund covers attorneys’ fees, settlement administration costs, service awards to named plaintiffs, and all compensation paid to class members.

Compensation Options

Option 1 — Documented Monetary Losses (up to $25,000): Class members who submit a claim form with proof of documented monetary losses are eligible to receive up to $25,000 in reimbursement. Supporting documentation must be prepared by a third party, such as invoices or bank statements, and all documented monetary losses must be traceable to the data breach. Covered losses include unreimbursed losses related to fraud or identity theft, professional fees, credit repair service costs, credit monitoring costs, and miscellaneous expenses such as notary, fax, postage, or mileage.

Option 2 — California Statutory Payment (up to $100 — California residents only): Class members who resided in California at the time of the data breach are also eligible to submit a claim form for a one-time cash payment of up to $100 due to California-specific statutory legislation. Class members seeking this benefit must submit their name, address, unique class member ID number, and an attestation under penalty of perjury that they were California residents at the time of the data breach.

Option 3 — Residual Cash Payment (up to $599 — all class members): All class members may submit a claim form to receive a one-time residual cash payment of up to $599. The final amount of the residual cash payment will be a pro rata portion of the net settlement fund after payment of attorneys’ fees, administrative expenses, lead plaintiff service awards, and the cost of all other settlement benefits.

Option 4 — Three Years of Credit Monitoring (all class members): All class members may submit a claim form to enroll in three years of complimentary credit monitoring and identity theft protection services, designed to help customers detect and respond to any suspicious activity on their financial accounts or credit reports.

How to File a Claim

The official settlement website is not yet live as of March 4, 2026. Once the court issues its formal preliminary approval order, the settlement administrator will launch the claim portal and mail notices to class members. Class members should check this article for updates or monitor court docket No. 2:21-cv-10657-MFL-DRG in the Eastern District of Michigan for the official site address and claim deadline.

Prior Actions — The Broader Regulatory Picture

The $31.5 million class action settlement is not the only legal consequence Flagstar has faced over these incidents. The SEC filed settled charges against Flagstar Bancorp in December 2024 for making materially misleading statements regarding the cybersecurity attack on Flagstar’s network in late 2021. The SEC’s order found that Flagstar violated multiple provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934.

Without admitting or denying the SEC’s findings, Flagstar agreed to cease and desist from committing further violations and to pay a $3.55 million civil money penalty.

Separately, the New York State Department of Financial Services also took action against Flagstar related to these incidents, and Flagstar previously fell victim to the 2023 breach of file transfer system MOVEIt, which affected about 837,390 Flagstar customers — an entirely separate matter not covered by the current settlement.

An earlier class action over the Accellion breach resulted in Flagstar agreeing to pay $5.9 million to settle claims filed on behalf of 1.48 million affected consumers, with the bank pledging various enhancements to its third-party vendor risk management program. The current $31.5 million settlement is a separate, consolidated resolution covering both the 2021 Accellion breach and the late 2021 Citrix/network breach.

Frequently Asked Questions

Is this a class action lawsuit? 

Yes. U.S. District Judge Matthew F. Leitman granted preliminary approval on February 20, 2026 to a $31.5 million settlement resolving consolidated class claims that Flagstar Bank failed to protect the personal information of customers and employees in two data breaches impacting more than 2 million people.

Has the settlement been approved? 

The Michigan federal court granted preliminary approval to the proposed $31.5 million settlement on February 20, 2026. The court has not yet set a final approval hearing date. Class members cannot receive payments until the court grants final approval.

Am I eligible to file a claim? 

The settlement covers all individuals in the United States whose personally identifying information was impacted by either or both data breaches Flagstar experienced in 2021, as reflected in the class list, with a class estimated at approximately 2,187,170 individuals. If you received a Flagstar data breach notification letter in 2021 or 2022, you likely qualify.

What is the claim deadline? 

The claim deadline has not yet been announced. The official settlement website is not yet live as of March 4, 2026. Once it launches, the site will display the exact claim deadline. Check this page for updates.

Do I need documentation to file? 

No. All class members can file without documentation and receive a residual pro rata cash payment of up to $599. Class members who submit a claim form with proof of documented monetary losses traceable to the breach are eligible to receive up to $25,000 in reimbursement.

What about the SEC action — is that separate? 

Yes. The SEC filed settled charges against Flagstar Bancorp in December 2024 for materially misleading statements about the 2021 cybersecurity attack, resulting in a separate $3.55 million civil penalty. That SEC action is entirely separate from the consumer class action settlement described in this article.

What happens if I don’t file a claim?

 If you do not submit a valid claim form by the deadline, you will not receive any monetary benefits or credit monitoring from this settlement. Additionally, by not opting out, you give up your right to sue Flagstar separately for the claims resolved by this settlement. Opt-out instructions will be posted on the official settlement website once it launches.

When will payments be sent out? 

Class members cannot expect to receive benefits until the court grants final approval to the Flagstar Bank data breach settlement, which will be determined following a hearing on a later date. Once final approval is granted and claim processing is complete, eligible class members who chose check payments must cash them within 90 days of issuance.

Last Updated: March 4, 2026

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Legal claims and outcomes depend on specific facts and applicable law. For advice regarding a particular situation, consult a qualified attorney.

About the Author

Sarah Klein, JD

Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah

Leave a Reply

Your email address will not be published. Required fields are marked *