Crooks have allegedly posted the personal details of several employees of Flagstar Bank, which is the latest financial institution to suffer a data breach thanks to a vulnerability with file sharing software from vendor Accellion.
According to Vice, hacking group C10p posted the alleged names, social security numbers and home addresses of 18 bank employees on the dark web and then emailed the publication to advertise the fact.
The hackers are threatening to publish more of the bank's data - including on clients - if they do not receive a payment.
Earlier, Michigan-based Flagstar issued a statement saying that that Accellion told it on 22 January about a vulnerability with its platform that was exploited by an unauthorised party.
The bank permanently discontinued use of the file sharing platform but has since learned that "the unauthorised party was able to access some of Flagstar’s information on the Accellion platform".
Flagstar says it has called in third-party forensic experts to investigate and will notify any affected customers once a review of the data is completed.
"The Accellion platform was segmented from the rest of our network, and our core banking and mortgage systems were not affected," says the statement.
Flagstar notes that it is one of "numerous" Accellion clients affected by the breach. So far, the Reserve Bank of New Zealand and the Australian Securities and Investments Commission have identified themselves as victims.