Information on roughly 22,000 Western Alliance customers was accessed through a vulnerability in a third-party vendor’s file transfer software, the Phoenix, Arizona-based bank disclosed last week.
Customers’ names, Social Security numbers and, in some cases, dates of birth, financial account numbers, driver license numbers, tax identification numbers, and passport information were among breached data, the bank told account holders in a letter shared with the Maine Attorney General’s Office.
The breach went undetected for more than three months, according to the timeline the bank provided in the letter. An unauthorized entity acquired the data between Oct. 12 and Oct. 24, 2024, Western Alliance said. But the bank did not discover the access until Jan. 27. Further, the bank did not disclose the breach until March 14 – a 46-day window.
Some states require infiltrated companies to make breach disclosures within a certain time frame. In Western Alliance’s home state of Arizona, that’s 45 days. In Maine, where the notice was posted, the limit is 30 days. Both states, however, allow for exceptions if law enforcement officials ask companies not to report breaches publicly, on the chance that doing so would push the cyber attacker underground.
Western Alliance, for its part, said it is investigating the nature and extent of the breach and has begun to inform affected customers.
“There has been no material impact to business operations or the company's financials, and we are reviewing existing policies and implementing additional safeguards to further secure the information in our systems," the bank said in a statement.
A recent Accenture poll found that 85% of bank customers say clear communication about cybersecurity practices is essential. But just 28% rate their bank highly when it comes to providing such clarity.
At the same time, the survey found that customers generally trust banks with their data, but that trust doesn’t extend to the banks’ third-party partners, from which the majority of breaches stem.
A Cleo file transfer tool was cited as the application accessed in the Western Alliance cyberattack, according to Levi & Korsinsky, a law firm investigating the incident.
Data breaches can be costly for banks. A breach of 106 million Capital One customers’ data in 2019 by a former employee of Amazon Web Services spurred enforcement actions against the bank from the Office of the Comptroller of the Currency and the Federal Reserve, in addition to an $80 million penalty. The hacker, Paige Thompson, was convicted in 2022 of wire fraud and five other charges, and sentenced to time served plus five years of probation. The incident also spawned a debate as to the responsibility of third-party vendors in such cases.
Western Alliance’s breach is not nearly to the scale of Capital One’s – nor, for that matter, as wide as the 2023 MoveIt breach that affected Flagstar Bank and Texas Dow Employees Credit Union.
But Western Alliance may find itself especially sensitive to any potential crisis of confidence. The bank was frequently mentioned among lenders most at risk during the spring 2023 downturn in which Signature, First Republic and Silicon Valley Bank failed.
During the crisis, Western Alliance posted frequent updates to investors on the bank’s deposit totals and fended off rumors, published in the Financial Times, that the bank was exploring a sale.
The bank refuted the story, calling it “categorically false in all respects,” and added that not only had it not hired an adviser, as reported, but that it was not exploring options for a sale, and was “considering all of our legal options in response to the story.”
In response to the breach, Western Alliance said it is “enhancing [its] technical security measures” and offering a free one-year membership for an Experian product aimed at detecting data misuse.
“We have no evidence to believe that your personal information has been misused for the purpose of committing fraud or identity theft,” the bank wrote in its letter to potential breach victims. “We value the trust you place in us to protect your privacy, take our responsibility to safeguard your personal information seriously, and apologize for any inconvenience this incident might cause.”
