Western Alliance Bank (WAB) has disclosed that a data breach at its third-party vendor’s secure file transfer software has compromised personal information for nearly 22,000 customers.
In a letter to potentially affected customers, the Arizona-based regional bank–operating over 50 branches with $80 billion in assets–disclosed that forensic analysis indicated unauthorized access to financial data, social security numbers, and other sensitive information.
“We reviewed the contents of the files acquired by the third party to determine if they contained any personal information,” the bank said in the letter. “On February 21, 2025, we determined that the files contained some of your personal information, including your name and Social Security number. The files may have also contained your date of birth, financial account number, driver’s license number, tax identification number, and/or passport, if you provided it to Western Alliance.”
The bank had first disclosed the incident in a February SEC filing, revealing that a limited number of WAB systems were hacked using a zero-day vulnerability affecting one of the bank’s third-party vendor’s secure file transfer software.
“The Company was made aware of a zero-day vulnerability at the vendor on October 27, 2024 (the “Vendor Incident”), and immediately activated its incident response process to investigate and deployed all patches as recommended by the software developer. The Company and its information security consultants found no evidence of any unlawful infiltration or exfiltration of any Company or customer data until January 27, 2025, when the Company’s surveillance process identified files related to the Vendor Incident published by the threat actor. The files included data flowing through the file transfer software between October 12-24, 2024, prior to notification of the Vendor Incident,” the company wrote in its SEC filing.
PII, financial details likely compromised
While the bank had said in the SEC filing, citing the preliminary investigation, that it found no unlawful “infiltration or exfiltration of any company or customer data” until January 27, 2025 (also the day the incident was discovered), it sent out letters to customers on March 14, 2025, revealing the new findings.
In a breach notification filed with the Office of Maine’s Attorney General, the bank said it believes a total of 21,899 customers to be affected by the breach.
According to the letters, the compromised data includes name, date of birth, driver’s license number, tax identification number, social security number, financial account number, and passport number (if provided to the bank).
An attacker could potentially use this information to carry out identity theft, financial fraud, and social engineering or phishing attacks.
Clop ransomware claimed breach in January
While the SEC filing did not name the third-party software exploited in the attacks or the threat actor involved, Clop ransomware group had claimed a massive breach of 58 companies that included WAB and used vulnerabilities in Cleo’s managed file transfer platforms in January.
WAB did not respond to queries seeking attack details and Cleo connections at the time of publishing of this article. In May 2023, Clop claimed responsibility for the infamous MoveIT cyberattack that has, to date, affected 2,611 organizations worldwide.
“This is not the first secure file transfer software to be exploited by a zero-day,” Paul Underwood, vice president at Neovera told CSO. “KiteWorks Accellion software was compromised in a zero-day vulnerability in its FTA product, which led to a series of cyberattacks in late 202, and early 2021.”
Companies need to start doing better due diligence on what software they are using to store potentially sensitive information, he added. “Encryption should be implemented using public/private key pairs, along with hardware security measures like HSMs to protect the keys.”