Western Alliance Bank Notifies 21,899 Customers of Data Breach
Around 22,000 customers of Arizona-based Western Alliance Bank have been notified that their personal information was stolen in October after a third-party vendor's secure file transfer software was breached. The bank, which is a wholly owned subsidiary of Western Alliance Bancorporation, a leading U.S. banking company with over $80 billion in assets, revealed the breach in February 2025, after discovering it had been exploited by attackers.
The attackers took advantage of a zero-day vulnerability in the third-party software, disclosed by the vendor on October 27, 2024, to hack a limited number of Western Alliance systems and exfiltrate files stored on the compromised devices. The bank's investigation found that customer data was leaked from its network only after discovering that the attackers had leaked some files stolen from its systems.
Western Alliance notified 21,899 affected customers through breach notification letters sent to them and filed with the Office of Maine's Attorney General. In these letters, the company stated that it has since determined that the unauthorized actor acquired certain files from the systems between October 12, 2024, and October 24, 2024.
An analysis of the stolen files concluded on February 21, 2025, and found they contained customer personal information, including their name and Social Security number, as well as financial account numbers, driver's license numbers, tax identification numbers, and/or passport information if it was provided to Western Alliance. The company assured affected customers that it had "no evidence to believe that your personal information has been misused for the purpose of committing fraud or identity theft."
Western Alliance is also offering those affected one year of free membership for Experian IdentityWorks Credit 3B identity protection services. As a precautionary measure, the company encourages customers to take advantage of the complimentary credit monitoring included in the breach notification letters.
The Breach: A Closer Look
The secure file transfer software compromised in the breach was not named in the breach notification letters or the February SEC filing. However, it is worth noting that Western Alliance Bank is one of 58 companies added to the leak site of the Clop ransomware gang in January. The cybercrime group has been linked to a series of attacks exploiting pre-auth zero-day vulnerabilities in various software patches.
The attackers exploited a pre-auth zero-day vulnerability (CVE-2024-50623) in Cleo LexiCom, VLTransfer, and Harmony software patched in October. They also released security updates for a second zero-day (tracked as CVE-2024-55956), which the Clop threat actors exploited to deploy a JAVA backdoor dubbed "Malichus" to steal data and gain further access to the victims' networks.
Prevention is Key
The incident highlights the importance of keeping software up-to-date and using robust security measures to protect against cyber threats. It also serves as a reminder that even large companies with advanced security systems can fall victim to breaches.
While Western Alliance Bank has taken steps to inform affected customers and provide support, it is essential for all individuals to remain vigilant about their online security. By taking proactive measures such as using strong passwords, enabling two-factor authentication, and monitoring credit reports regularly, individuals can significantly reduce the risk of falling victim to data breaches like this one.
Conclusion
The breach at Western Alliance Bank is a sobering reminder of the ongoing threat of cyber attacks in the digital age. As more companies continue to fall victim to these types of incidents, it is essential for individuals and businesses alike to prioritize security and take steps to protect themselves against data breaches.